- Daily - CERT.at

Tageszusammenfassung - 14.12.2017
by Daily end-of-shift report 14 Dec '17

14 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-12-2017 18:00 − Donnerstag 14-12-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Intel ME vulnerabilities are a big deal for some people, harmless for most ∗∗∗ --------------------------------------------- (Note: all discussion here is based on publicly disclosed information, and I am not speaking on behalf of my employers)I wrote about the potential impact of the most recent Intel ME vulnerabilities a couple of weeks ago. The details of the vulnerability were released last week, and its not absolutely the worst case scenario but its still .. --------------------------------------------- https://mjg59.dreamwidth.org/49788.html ∗∗∗ Sneaky *.BAT File Leads to Spoofed Banking Page ∗∗∗ --------------------------------------------- If you thought using BAT files was old hat, think again. While monitoring our Secure Email Gateway Cloud service, we came across several suspect spam emails targeting Brazilian users. The figure .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Sneaky--BAT-File-Leads-to-Sp… ∗∗∗ Attack on Fox-IT shows how a DNS hijack can break multiple layers of security ∗∗∗ --------------------------------------------- Dutch security firm Fox-IT deserves praise for being open about an attack on its client network. There are some important lessons to be learned about DNS .. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/12/attack-fox-it-shows-how-dns-… ∗∗∗ Triton Malware Targets Industrial Safety Systems In the Middle East ∗∗∗ --------------------------------------------- A rare and dangerous new form of malware targets the industrial safety control systems that protect human life. --------------------------------------------- https://www.wired.com/story/triton-malware-targets-industrial-safety-system… ∗∗∗ Dezember-Patchday bei SAP ∗∗∗ --------------------------------------------- Es stehen Sicherheitsupdates für verschiedene SAP-Produkte bereit. Zwei Lücken sind mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-3918036 ∗∗∗ Mirai: Wie Minecraft-Betrug das ganze Internet in die Knie zwang ∗∗∗ --------------------------------------------- Drei US-amerikanische Studenten gestehen Urheberschaft – Wollten eigentlich nur mit Angriffen gegen Spieleserver Geld machen --------------------------------------------- http://derstandard.at/2000070340698 ∗∗∗ 34C3: Das Programm für den Hacker-Kongress steht ∗∗∗ --------------------------------------------- Keynote von Science-Fiction-Autor Charles Stross – Findet heuer erstmals in Leipzig statt --------------------------------------------- http://derstandard.at/2000070364235 ∗∗∗ New MacOS malware steals bank log-in details and intellectual property ∗∗∗ --------------------------------------------- https://www.scmagazineuk.com/news/new-macos-malware-steals-bank-log-in-deta… ===================== = Vulnerabilities = ===================== -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2017
by Daily end-of-shift report 13 Dec '17

13 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-12-2017 18:00 − Mittwoch 13-12-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Argy-bargy Argies barge into Starbucks Wi-Fi with alt-coin discharges ∗∗∗ --------------------------------------------- Venti vanilla skinny latte with sprinkles of JavaScript and a side of Monero mining, please Starbucks has joined the long growing list of organizations that have inadvertently and silently mined alt-coins on customers computers for mystery miscreants.… --------------------------------------------- www.theregister.co.uk/2017/12/12/starbucks_wifi_crypto_mining/ ∗∗∗ Apple Security Flaws Give Some Researchers Concern About Deeper Issues ∗∗∗ --------------------------------------------- Apples had some prominent security lapses lately. But is it just a rough patch, or something deeper? --------------------------------------------- https://www.wired.com/story/apples-security-macos-high-sierra-ios-11 ∗∗∗ ROBOT-Attacke: TLS-Angriff von 1998 funktioniert immer noch ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine neue Variante der Bleichenbacher-Attacke zum Entschlüsseln von Internettraffic vorgestellt. Davon sind unter anderem Facebook und PayPal betroffen. --------------------------------------------- https://heise.de/-3916994 ∗∗∗ KRACK- und Broadpwn-Schwachstelle: Apple flickt AirPort-WLAN-Basisstationen erst jetzt ∗∗∗ --------------------------------------------- Ein Firmware-Update soll Apples WLAN-Basisstationen vor gravierenden Schwachstellen schützen – es deckt AirPort Express, AirPort Extreme und Time Capsule ab. --------------------------------------------- https://heise.de/-3916951 ===================== = Vulnerabilities = ===================== ∗∗∗ Gain Windows privileges with FortiClient vpn before logon and untrusted certificate ∗∗∗ --------------------------------------------- When the "VPN before logon" feature of FortiClient Windows is enabled (disabled by default), and when the server certificate is not valid, it is possible for an attacker without a user account on the targeted Windows workstation to obtain SYSTEM level privileges, via .. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-070 ∗∗∗ VPN credentials disclosure in Fortinet FortiClient ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2017
by Daily end-of-shift report 12 Dec '17

12 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Montag 11-12-2017 18:00 − Dienstag 12-12-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security update available for Adobe Flash Player (APSB17-42) ∗∗∗ --------------------------------------------- A Security Bulletin (APSB17-42) has been published regarding a security update for Adobe Flash Player. This update addresses a regression that could lead to the unintended reset of the global settings preference file. Adobe .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1514 ∗∗∗ Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses ∗∗∗ --------------------------------------------- Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/12/11/detonating-a-bad-rabbit… ∗∗∗ December 2017 security update release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/12/12/december-2017-security-… ∗∗∗ New Ruski hacker clan exposed: Theyre called MoneyTaker, and theyre gonna take your money ∗∗∗ --------------------------------------------- Subtly named group has gone largely unnoticed until now Security researchers have lifted the lid on a gang of Russian-speaking cybercrooks, dubbed MoneyTaker. --------------------------------------------- www.theregister.co.uk/2017/12/11/russian_bank_hackers_moneytaker/ ∗∗∗ Googles Project Zero reveals Apple jailbreak exploit ∗∗∗ --------------------------------------------- Holy Moley! iOS and MacOS were wholly holey Ian Beer of Googles Project Zero has followed up on a “coming soon” Twitter teaser with a jailbreakable iOS and Mac OS vulnerability. --------------------------------------------- www.theregister.co.uk/2017/12/12/apple_jailbreak_exploit/ ∗∗∗ Hintergrund: Malware-Analyse - Do-It-Yourself ∗∗∗ --------------------------------------------- Bauen Sie Ihre eigene Schadsoftware-Analyse-Sandbox, um schnell das Verhalten von unbekannten Dateien zu überprüfen. Dieser Artikel zeigt, wie das mit der kostenlosen Open-Source-Sandbox Cuckoo funktioniert. --------------------------------------------- https://heise.de/-3910855 ∗∗∗ An analysis of 120 mobile app stores uncovers plethora of malicious apps ∗∗∗ --------------------------------------------- RiskIQ analyzed 120 mobile app stores and more than 2 billion daily scanned resources. In listing and analyzing the app stores hosting the most malicious mobile apps and the most prolific developers of malicious apps, their Q3 mobile threat landscape report documents an increase in blacklisted apps over Q2, as well as the continued .. --------------------------------------------- https://www.helpnetsecurity.com/2017/12/12/mobile-app-stores-malicious-apps/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4063 pdns-recursor - security update ∗∗∗ --------------------------------------------- Toshifumi Sakaguchi discovered that PowerDNS Recursor, a high-performance resolving name server was susceptible to denial of service via a crafted CNAME answer. --------------------------------------------- https://www.debian.org/security/2017/dsa-4063 ∗∗∗ Cisco Email Security Appliance Header Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Simple Mail Transfer Protocol (SMTP) header filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass configured user filters on the device. The vulnerability is due to improper handling of a malformed SMTP header in .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DSA-4064 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4064 ∗∗∗ Qt for Android vulnerable to OS command injection ∗∗∗ --------------------------------------------- http://jvn.jp/en/jp/JVN67389262/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2017
by Daily end-of-shift report 11 Dec '17

11 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-12-2017 18:00 − Montag 11-12-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Heres How to Enable Chrome "Strict Site Isolation" Experimental Security Mode ∗∗∗ --------------------------------------------- Google Chrome 63, which shipped yesterday evening, arrived with a new experimental feature called Site Isolation that according to Google engineers is an additional security layer on top of Chromes built-in sandboxing technology. --------------------------------------------- https://www.bleepingcomputer.com/news/google/heres-how-to-enable-chrome-str… ∗∗∗ Script Recovers Event Logs Doctored by NSA Hacking Tool ∗∗∗ --------------------------------------------- Security researchers have found a way to reverse the effects of an NSA hacking utility that deletes event logs from compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/script-recovers-event-logs-d… ∗∗∗ Botconf 2017 Wrap-Up Day #3 ∗∗∗ --------------------------------------------- And this is already the end of Botconf. Time for my last wrap-up. The day started a little bit later to allow some people to recover from the social event. --------------------------------------------- https://blog.rootshell.be/2017/12/08/botconf-2017-wrap-day-3/ ∗∗∗ Security, Incident Response, Privacy and Data Protection ∗∗∗ --------------------------------------------- [...] to protect the personal data on their systems and networks, security and incident response teams must themselves process personal data. Fortunately regulators also provide guidance on balancing privacy protection and privacy invasion. The words “legitimate interest” are not just a phrase, but one of the most deeply analysed terms in data protection law. --------------------------------------------- https://www.first.org/blog/20171211_GDPR_for_CSIRTs ===================== = Vulnerabilities = ===================== ∗∗∗ DFN-CERT-2017-2228/">ISC DHCPD: Eine Schwachstelle ermöglicht einen Denial-of-Service Angriff ∗∗∗ --------------------------------------------- Ein nicht authentisierter Angreifer im benachbarten Netzwerk kann eine Schwachstelle im DHCP Daemon (ISC DHCPD) mit Hilfe speziell präparierter OMAPI-Nachrichten ausnutzen, um die Zahl der verfügbaren Dateideskriptoren im zugehörigen Prozess zu erschöpfen und dadurch einen Denial-of-Service (DoS)-Zustand zu erzeugen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2228/ ∗∗∗ DFN-CERT-2017-2238/">Tor-Browser: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- Mehrere Schwachstellen im Tor Browser vor Version 7.5a9 bzw. 7.0.11 ermöglichen einem entfernten, nicht authentisierten Angreifer die Durchführung von Denial-of-Service (DoS)-Angriffen. Zwei Schwachstellen ermöglichen das Ausspähen von Informationen. Die Schwachstelle CVE-2017-7845 in der verwendeten Firefox ESR Version ermöglicht dem Angreifer das Ausführen beliebigen Programmcodes und eine weitere Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2238/ ∗∗∗ Sicherheit: Keylogger in HP-Notebooks gefunden ∗∗∗ --------------------------------------------- Schon wieder wurde in einem vorinstallierten Treiber von HP ein Keylogger gefunden. Zwar ist die Schnüffelfunktion standardmäßig deaktiviert, ein Forscher fand allerdings einen Weg, das zu ändern. --------------------------------------------- https://www.golem.de/news/sicherheit-keylogger-in-hp-notebooks-gefunden-171… ∗∗∗ DFN-CERT-2017-2237/">Node.js: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Node.js ermöglichen einem entfernten, nicht authentisierten Angreifer das Umgehen von Sicherheitsvorkehrungen und das Ausspähen von Informationen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2237/ ∗∗∗ DFN-CERT-2017-2236/">GitLab: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Eine Schwachstelle in GitLab ermöglicht einem entfernten, nicht authentisierten Angreifer das Ausspähen von Informationen über private Projekte. Mehrere weitere Schwachstellen ermöglichen einem entfernten, einfach authentisierten Angreifer einen Cross-Site-Scripting (XSS)-Angriff, das Ausspähen von Informationen und die Eskalation von Privilegien. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2236/ ∗∗∗ DFN-CERT-2017-2239/">Jenkins-Plugin: Eine Schwachstelle ermöglicht das Lesen beliebiger Dateien ∗∗∗ --------------------------------------------- Ein entfernter, einfach authentisierter Angreifer mit der Berechtigung, abgesicherte (sandboxed) Groovy- und Pipeline-Skripte zu erstellen, kann eine Schwachstelle im Jenkins-Plugin Script Security ausnutzen, um Lesezugriff auf beliebige Dateien des Master-Dateisystems von Jenkins zu erhalten. Dadurch sind weitere Angriffe möglich. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2239/ ∗∗∗ Android flaw lets attack code slip into signed apps ∗∗∗ --------------------------------------------- The vulnerability, CVE-2017-13156, was addressed in patch level 1 of the December Android update, so those who get their patches directly from Google should be protected. Unfortunately, due to the nature of the Android ecosystem, many vendors and carriers are slow to release fixes. --------------------------------------------- https://www.theregister.co.uk/2017/12/08/android_flaw_lets_attack_code_slip… ∗∗∗ FortiClient improper access control of users VPN credentials ∗∗∗ --------------------------------------------- FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each others encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-214 ∗∗∗ Xiongmai Technology IP Cameras and DVRs ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Xiongmai Technology IP Cameras and DVRs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-341-01 ∗∗∗ Rockwell Automation FactoryTalk Alarms and Events ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper input validation vulnerability in Rockwell Automations FactoryTalk Alarms and Events component. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-341-02 ∗∗∗ PHOENIX CONTACT FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a cross-site scripting vulnerability in PHOENIX CONTACT’s FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH industrial networking equipment. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-341-03 ∗∗∗ Cisco Email Security Appliance Header Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Multiple Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171206-… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK and IBM Java Runtime Affect IBM Web Experience Factory ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22011357 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in openssh affect IBM Flex System Manager (FSM) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1026378 ∗∗∗ IBM Security Bulletin: A vulnerability in Apache Solr affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010330 ∗∗∗ IBM Security Bulletin: A vulnerability in strongSwan affects IBM Flex System Manager (FSM) (CVE-2017-11185) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1026377 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1026250 ∗∗∗ IBM Security Bulletin: A vulnerability in libxml2 affects IBM Flex System Manager (FSM) (CVE-2016-9318) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1026376 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc ∗∗∗ IBM Security Bulletin: Security vulnerabilities have been identified in DB2 which is shipped with IBM Performance Management products ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008900 ∗∗∗ IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2017-1421) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005234 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22011198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2017
by Daily end-of-shift report 07 Dec '17

07 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-12-2017 18:00 − Donnerstag 07-12-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ "Process Doppelgänging" Attack Works on All Windows Versions ∗∗∗ --------------------------------------------- Today, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelgänging." [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attac… ∗∗∗ Firmware-Bug: Codeausführung in deaktivierter Intel-ME möglich ∗∗∗ --------------------------------------------- Sicherheitsforscher demonstrieren einen Angriff auf Intels ME zum Ausführen von beliebigem Code, gegen den weder das sogenannte Kill-Bit noch die von Google geplanten Sicherheitsmaßnahmen für seine Server helfen. Theoretisch lassen sich Geräte so auch aus der Ferne angreifen. --------------------------------------------- https://www.golem.de/news/firmware-bug-codeausfuehrung-in-deaktivierter-int… ∗∗∗ Apple Issues Security Updates for MacOS, iOS, TvOS, WatchOS, and Safari ∗∗∗ --------------------------------------------- Catalin Cimpanu, writing for BleepingComputer: Over the course of the last four days, Apple has released updates to address security issues for several products, such as macOS High Sierra, Safari, watchOS, tvOS, and iOS. The most relevant security update is the one to macOS, as it also permanently fixes the bug that allowed attackers to access macOS root accounts without having to type a password. Apple issued a patch for the bug the next day after it was discovered, but because the patch was [...] --------------------------------------------- https://apple.slashdot.org/story/17/12/06/2137251/apple-issues-security-upd… ∗∗∗ VB2017 paper: Modern reconnaissance phase on APT – protection layer ∗∗∗ --------------------------------------------- During recent research, Cisco Talos researchers observed the ways in which APT actors are evolving and how a reconnaissance phase is included in the infection vector in order to protect valuable zero-day exploits or malware frameworks. At VB2017 in Madrid, two of those researchers, Paul Rascagneres and Warren Mercer, presented a paper detailing five case studies that demonstrate how the infection vector is evolving. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/11/vb2017-paper-modern-reconnai… ∗∗∗ 37 Sicherheitslücken in Chrome geschlossen ∗∗∗ --------------------------------------------- Googles Webbrowser Chrome ist in der abgesicherten Version 63.0.3239.84 für Linux, macOS und Windows erschienen. Im Menüpunkt "Hilfe" kann man unter "Über Google Chrome" die installierte Ausgabe prüfen und das Update anstoßen. --------------------------------------------- https://heise.de/-3912131 ∗∗∗ Sysinternals Sysmon suspicious activity guide ∗∗∗ --------------------------------------------- Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log. You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log. This guide will help you to investigate and appropriately handle these events. --------------------------------------------- https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-s… ∗∗∗ Penetration Testing Apache Thrift Applications ∗∗∗ --------------------------------------------- ... Apache Thrift, which is used to easily build RPC clients and servers regardless of programming languages used on each side. The web interception tool of choice at MDSec is Burp Suite, so it follows suit that we wanted to continue using Burp during the assessment. Unfortunately, there are no Burp extensions out there (at least that we know of) for Thrift encoded data, so we decided to make our own. --------------------------------------------- https://www.mdsec.co.uk/2017/12/penetration-testing-apache-thrift-applicati… ∗∗∗ November 2017: The Month in Ransomware ∗∗∗ --------------------------------------------- November didn’t shape up to be revolutionary in terms of ransomware, but the shenanigans of cyber-extortionists continued to be a major concern. The reputation of the Hidden Tear PoC ransomware project hit another low as it spawned a bunch of new real-life spinoffs. The crooks who created the strain dubbed Ordinypt [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cyber-s… ∗∗∗ StorageCrypt: Ransomware infiziert NAS-Geräte via SambaCry-Lücke ∗∗∗ --------------------------------------------- Viele Netzwerkspeicher (NAS) weisen noch immer die SMB-Lücke SambaCry auf. Ein aktueller Verschlüsselungstrojaner macht sich das zunutze. NAS-Besitzer sollten zügig patchen. --------------------------------------------- https://heise.de/-3912498 ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory [07 Dec 2017] ∗∗∗ --------------------------------------------- Read/write after SSL object in error state (CVE-2017-3737) rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) --------------------------------------------- https://www.openssl.org/news/secadv/20171207.txt ∗∗∗ DFN-CERT-2017-2213: Microsoft Malware Protection Engine: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2213/ ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM API Connect (CVE-2017-1000381, CVE-2017-11499) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009964 ∗∗∗ IBM Security Bulletin: Potential information leakage vulnerability in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010627 ∗∗∗ [R1]Nessus 6.11.3 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2017-15 Next End-of-Day report on 2017-12-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2017
by Daily end-of-shift report 06 Dec '17

06 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-12-2017 18:00 − Mittwoch 06-12-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PSA: Do not Trust Reverse DNS (and why does an address resolve to "localhost")., (Wed, Dec 6th) ∗∗∗ --------------------------------------------- Reverse DNS can be a valuable to find out more about an IP address. For example: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23105 ∗∗∗ A new issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Dresscode for apps in the Google Play Store: malicious Quad9 – does it offer a data protection-friendly alternative to Google [...] --------------------------------------------- https://securityblog.switch.ch/2017/12/06/a-new-issue-of-our-switch-securit… ∗∗∗ Daten von 31 Millionen Nutzern der App ai.type Keyboard geleakt ∗∗∗ --------------------------------------------- In dem riesigen Datenleak stehen unter anderen E-Mail-Adressen, Namen und IMEI- und Telefon-Nummern von Nutzern der App. Auch Kontakte aus Telefonbüchern sollen sich darin finden. --------------------------------------------- https://heise.de/-3910522 ∗∗∗ Sicherheitsupdates: Angreifer könnten TeamViewer-Sessions entern ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen sind TeamViewer-Sessions gefährdet. Sicherheitsupdates sind zum Teil schon verfügbar. --------------------------------------------- https://heise.de/-3911170 ∗∗∗ Recam Redux - DeConfusing ConfuserEx ∗∗∗ --------------------------------------------- This post is authored by Holger Unterbrink and Christopher MarczewskiOverviewThis report shows how to deobfuscate a custom .NET ConfuserEx protected malware. We identified this recent malware campaign from our Advanced Malware Protection (AMP) telemetry. Initial infection is via a malicious Word document, the malware ultimately executes in memory an embedded payload from the Recam family. Recam is an information stealer. Although the malware has been around for the past few years, theres a [...] --------------------------------------------- http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confusere… ∗∗∗ ParseDroid vulnerabilities could affect all Android developers ∗∗∗ --------------------------------------------- Checkpoint researchers discovered several vulnerabilities in Android application developer tools that put any organisation that does Java/Android development at risk of an outsider gaining access to their system. --------------------------------------------- https://www.scmagazineuk.com/news/parsedroid-vulnerabilities-could-affect-a… ∗∗∗ MailSploit bugs let spoofed emails bypass DMARC, spam detectors ∗∗∗ --------------------------------------------- A collection of vulnerabilities dubbed Mailsploit, found by German security researcher Sabri Haddouche in 30 types of email client applications - from Apple Mail to Mozilla Thunderbird - lets hackers bypass anti-spoofing mechanisms. --------------------------------------------- https://www.scmagazineuk.com/news/mailsploit-bugs-let-spoofed-emails-bypass… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability ∗∗∗ --------------------------------------------- 4A vulnerability in the TCP stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper processing of certain TCP packets in the closing sequence of a TCP session while the affected device is in a TIME_WAIT state. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ∗∗∗ [Xen-announce] Xen Security Advisory 238 (CVE-2017-15591) - DMOP map/unmap missing argument checks ∗∗∗ --------------------------------------------- Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.) --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2017-12/msg00002.ht… ∗∗∗ Vuln: Multiple F-Secure Internet Gatekeeper Products Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/102066 ∗∗∗ Security Advisory - Multiple Vulnerabilities in Intel Management Engine Firmware ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ Security Advisory - Double Free Vulnerability in Flp Driver of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171206-… ∗∗∗ Security Advisory - Multiple Security Vulnerabilities in the IKEv2 Protocol Implementation of Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171206-… ∗∗∗ Security Advisory - Input Validation Vulnerability in H323 Protocol of Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171206-… ∗∗∗ Security Notice - Statement on Remote Code Execution Vulnerability in Huawei HG532 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20171130-01-… ∗∗∗ IBM Security Bulletin: IBM BigInsights is affected by a Text Analytics vulnerabilty (CVE-2017-1336 ) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010812 ∗∗∗ IBM Security Bulletin: IBM Security Network Protection is affected by vulnerabilities in OpenSSH (CVE-2016-6210 CVE-2016-6515 CVE-2016-10009 CVE-2016-10011) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010305 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerability in subversion (CVE-2017-9800) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009835 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in Linux kernel ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008854 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a vulnerability in glibc ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008853 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in tcpdump ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008339 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in openssh (CVE-2016-10009 CVE-2016-10011 CVE-2016-10012 CVE-2016-6210 CVE-2016-6515) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008340 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability in IBM Support Tools for Lotus WCM (CVE-2017-1536) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008031 ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and Cloud Orchestrator Enterprise update of IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000361 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ and IBM MQ Appliance ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008757 ∗∗∗ IBM Security Bulletin: IBM MQ could allow an authenticated user to insert messages with malformed data into the channel which would cause it to restart. (CVE-2017-1433) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005525 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2017
by Daily end-of-shift report 05 Dec '17

05 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Montag 04-12-2017 18:00 − Dienstag 05-12-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefälschte Sicherheitswarnung auf Facebook ∗∗∗ --------------------------------------------- Mit dem gefälschten Facebook-Profil „Help Update Account“ teilen Kriminelle Beiträge von Kleinunternehmen und sprechen eine Sicherheitswarnung aus. Sie fordern die Eigentümer/innen der Konten auf, dass sie auf einer Website ihren Account bestätigen, um eine Blockierung zu verhindern. Wer dem nachkommt, übermittelt die Unternehmens-Zugangsdaten an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/facebook-betrug/gefaelschte-sicherheitswa… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache Software Foundation Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: December 04, 2017 The Apache Software Foundation has released security updates to address vulnerabilities in Apache Struts versions 2.5 to 2.5.14. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.US-CERT encourages users and administrators to review Apache Security Bulletins S2-054 and S2-055 and upgrade to Struts 2.5.14.1. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/12/04/Apache-Software-Fo… ∗∗∗ DFN-CERT-2017-2198/">OTRS: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- Ein entfernter, einfach authentifizierter Angreifer mit Agenten-Benutzerkonto in OTRS kann eine Schwachstelle ausnutzen, um beliebige Kommandozeilenbefehle mit erweiterten Privilegien auf dem unterliegenden Betriebssystem zur Ausführung zu bringen. Ein Angreifer mit Kundenkonto kann eine weitere Schwachstelle ausnutzen, um interne Informationen über seinem Konto zugeordnete Kundentickets auszuspähen. Der Hersteller stellt OTRS 6.0.2, 5.0.25 und 4.0.27 als Sicherheitsupdates zur Behebung der Schwachstellen zur Verfügung. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2198/ ∗∗∗ DFN-CERT-2017-2204/">Jenkins: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- Ein entfernter, einfach authentisierter Angreifer mit Administratorrechten kann einen Cross-Site-Scripting (XSS)-Angriff gegen Benutzer von Jenkins durchführen. Der Hersteller plant kein Sicherheitsupdate zur Behebung der Schwachstelle, da Administratoren in Jenkins gemäß ihrer Rollendefinition bereits alle Rechte haben, um die durch die genannte Schwachstelle möglichen Angriffe durchzuführen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2204/ ∗∗∗ Android Security Bulletin - December 2017 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2017-12-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2017-12-01.html ∗∗∗ IBM Security Bulletin: A vulnerability in busybox affects IBM NeXtScale Fan Power Controller (FPC) (CVE-2016-2147) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099729 ∗∗∗ IBM Security Bulletin: A tcp vulnerability in Linux Kernel affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems (CVE-2017-14106) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099730 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server October 2017 CPU ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010560 ∗∗∗ IBM Security Bulletin: Apache Commons Collection as used in IBM QRadar SIEM is vulnerable to remote code execution. (CVE-2015-6420) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22011281 ∗∗∗ IBM Security Bulletin: IBM Case Manager may be vulnerable to Apache Commons FileUpload code execution ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010267 ∗∗∗ IBM Security Bulletin: Financial Transaction Manager (FTM) for Multi-Platform (MP) is affected by a SQL Injection security vulnerability (CVE-2017-1606) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011179 ∗∗∗ IBM Security Bulletin: IBM Connections Engagement Center Security Refresh (CVE-2017-1613, CVE-2017-1683) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010690 ∗∗∗ IBM Security Bulletin: IBM Connections Security Refresh (CVE-2017-1498) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006286 ∗∗∗ IBM Security Bulletin: Information Disclosure Security Vulnerability Affects IBM Sterling B2B Integrator (CVE-2017-1481) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010761 ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by a GNU C library (glibc) vulnerability (CVE-2017-8804) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009796 ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance MQOPEN call might succeed when it should have failed. (CVE-2017-1341 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005400 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2017
by Daily end-of-shift report 04 Dec '17

04 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-12-2017 18:00 − Montag 04-12-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Visualise Event Logs to Identify Compromised Accounts - LogonTracer ∗∗∗ --------------------------------------------- JPCERT/CC has developed and released a tool “LogonTracer” which supports such event log analysis. This entry introduces how it works and how to launch it. ... LogonTracer associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used. --------------------------------------------- http://blog.jpcert.or.jp/2017/11/visualise-event-logs-to-identify-compromis… ∗∗∗ Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’ ∗∗∗ --------------------------------------------- Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for “living off the land”—staying away from the disk and using common tools to run code directly in memory. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/12/04/windows-defender-atp-ma… ∗∗∗ Europäisches Parlament will Mediaplayer VLC sicherer machen ∗∗∗ --------------------------------------------- EU-Projekt FOSSA (Free Open Source Software Analysis) ist für das Bug-Bounty-Programm mitverantwortlich. --------------------------------------------- https://heise.de/-3907536 ∗∗∗ An IRISSCON 2017 roundup ∗∗∗ --------------------------------------------- This post contains links to many of the top-rated talks from the event, along with links to additional content. --------------------------------------------- https://blog.malwarebytes.com/security-world/2017/11/an-irisscon-2018-round… ∗∗∗ Avalanche-Botnetz: BSI weitet Schutzmaßnahmen aus ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) weitet die Schutz- und Informationsmaßnahmen aus, die im Rahmen der Zerschlagung der weltweit größten Botnetzinfrastruktur Avalanche Ende 2016 initiiert wurden, und verlängert diese zudem. Das im Zuge der Avalanche-Abschaltung im Jahr 2016 vom BSI aufgesetzte Sinkholing-System wurde dabei um Domänen des Andromeda-Botnetzes erweitert. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Avalanche_E… ===================== = Vulnerabilities = ===================== ∗∗∗ [openssl-announce] Forthcoming OpenSSL release ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.0.2n. ... This is a security-fix release. The highest severity issue fixed in this release is MODERATE. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2017-December/000108.html ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010801 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010702 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010735 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010736 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium (multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010421 ∗∗∗ IBM Security Bulletin: Open Source GNU glibc Vulnerabilities affects IBM Security Guardium (CVE-2017-1000366) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008897 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4658) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010734 ∗∗∗ IBM Security Bulletin: Selection of Less-Secure Algorithm During Negotiation vulnerability affects IBM Security Guardium (CVE-2017-1271) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010435 ∗∗∗ Asterisk chan_skinny Driver Bug Lets Remote Users Consume Excessive Memory Resources ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039948 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2017
by Daily end-of-shift report 01 Dec '17

01 Dec '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-11-2017 18:00 − Freitag 01-12-2017 18:00 Handler: Nina Bieringer Co-Handler: Petr Sikuta ===================== = News = ===================== ∗∗∗ Thousands of Serial-To-Ethernet Devices Leak Telnet Passwords ∗∗∗ --------------------------------------------- A security researcher has identified thousands of Serial-to-Ethernet devices connected online that leak Telnet passwords that could be used to attack the equipment that is placed behind them. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/thousands-of-serial-to-ether… ===================== = Vulnerabilities = ===================== ∗∗∗ Geovap Reliance SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a cross-site scripting vulnerability in Geovap's Reliance SCADA. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-334-02 ∗∗∗ DFN-CERT-2017-2180 - Apache Software Foundation Struts: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2180/ ∗∗∗ DFN-CERT-2017-2181 - Wireshark: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2181/ ∗∗∗ Security Advisory - Multiple Vulnerabilities in Intel Management Engine Firmware ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ Security Advisory - Memory Double Free Vulnerability in GPU Driver of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ Security Advisory - Two DOS Vulnerabilities of XML Parser in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ Security Advisory - Multiple Buffer Overflow Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ Security Notice - Statement About the Vulnerabilities in Huawei SmartCare Products Disclosed by Bhaskar Borman ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20171201-01-… ∗∗∗ IBM Security Bulletin: Aspera Applications are affected by a Nginx vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011149 ∗∗∗ IBM Security Bulletin: Aspera Applications are affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010618 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Aspera Transfer Cluster Manager, Faspex on Demand, Server on Demand, Application on Demand, and Azure on Demand ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010689 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Aspera Enterprise Server, Connect Server, Point to Point Client, Desktop Client, Faspstream, Cargo, and Sync ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011142 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Aspera Orchestrator, IBM Aspera Virtual Catcher, IBM Aspera Faspex, IBM Aspera Shares ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011143 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Aspera Transfer Cluster Manager, faspex on Demand, Server on Demand, Application Platform on Demand, and Azure on Demand ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011146 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Aspera Enterprise Server, IBM Aspera Connect Server, IBM Aspera Point to Point Client, IBM Aspera Desktop Client and IBM Aspera Connect Browser Plugin ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011145 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Aspera Transfer Clustered Manager, faspex on Demand, Server on Demand, Application Platform on Demand, and Azure on Demand ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011148 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Aspera Enterprise Server, IBM Aspera Connect Server, IBM Aspera Point to Point Client, IBM Aspera Desktop Client and IBM Aspera Connect Browser Plugin ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011150 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities with the open source Perl Compatible Regular Expression (PCRE) libraries used in IBM Aspera Shares Application ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011151 ∗∗∗ IBM Security Bulletin: IBM Connections Docs is affected by vulnerability issues caused by libxml2 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009408 ∗∗∗ IBM Security Bulletin: A vulnerability in Apache Commons FileUpload affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010019 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010227 ∗∗∗ IBM Security Bulletin: IBM TRIRIGA is Missing HTTP Strict-Transport-Security Header ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006185 ∗∗∗ IBM Security Bulletin: IBM TRIRIGA default login page has no defenses against clickjacking ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006184 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2017
by Daily end-of-shift report 30 Nov '17

30 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-11-2017 18:00 − Donnerstag 30-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Gefälschter Bluescreen: "Troubleshooter"-Malware zockt Windows-Nutzer ab ∗∗∗ --------------------------------------------- Derzeit ist eine Windows-Malware im Umlauf, die auf infizierten Rechnern einen Bluescreen simuliert und den Bildschirm sperrt. Sie beendet sich erst, wenn Opfer Geld für eine nicht existente Sicherheitssoftware überweisen. Außerdem fertigt sie einen Screenshot des Desktops – genauer: des Fensters im Vordergrund – an, um ihn an eine feste IP-Adresse zu verschicken. Das geht aus einem Blogeintrag eines Sicherheitsforschers von Malwarebytes hervor, der den von ihm entdeckten Schädling auf den Namen Troubleshooter getauft hat. --------------------------------------------- https://heise.de/-3905456 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco WebEx Network Recording Player Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format (.arf) files could allow an attacker to execute arbitrary code on a system. An attacker could exploit this vulnerability by providing a user with a malicious .arf file via email or URL and convincing the user to launch the file.Exploitation of this vulnerability could cause a buffer overflow condition on the targeted system, causing the Network Recording Player to crash, resulting in a denial of service (DoS) --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ libcurl Out-of-Bounds Memory Read Error in FTP Wildcard Function Lets Remote Users Redirect the Target Client to an Arbitrary Site ∗∗∗ --------------------------------------------- Version(s): 7.21.0 - 7.56.1 A remote server can return specially crafted data to trigger an out-of-bounds memory read error in the FTP wildcard matching function (CURLOPT_WILDCARDMATCH) and cause the target connected libcurl client to be redirected. libcurl applications that use HTTP or HTTPS URLs, allow libcurl redirects, and has FTP wildcards enabled are affected. --------------------------------------------- https://www.securitytracker.com/id/1039897 ∗∗∗ WordPress 4.9.1 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1 --------------------------------------------- https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance… ∗∗∗ Security Advisory - Remote Code Execution Vulnerability in Microsoft Windows Server Service ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Stack Overflow Vulnerability in Baseband Module of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171125-… ∗∗∗ Security Advisory - Multiple Vulnerabilities of WPA and WPA2 Protocol in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171117-… ∗∗∗ Security Advisory - Three OpenSSL Vulnerabilities in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170503-… ∗∗∗ IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009849 ∗∗∗ IBM Security Bulletin: Apache Commons FileUpload Vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010587 ∗∗∗ IBM Security bulletin: IBM Sterling File Gateway is vulnerable to cross-site scripting (CVE-2017-1632) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010549 ∗∗∗ IBM Security bulletin: Access control security vulnerability affects IBM Sterling File Gateway (CVE-2017-1550) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010758 ∗∗∗ IBM Security bulletin: Cross-site scripting. security vulnerability affects IBM Sterling File Gateway (CVE-2017-1549) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010759 ∗∗∗ IBM Security bulletin: Information disclosure vulnerability affects IBM Sterling File Gateway (CVE-2017-1548, CVE-2017-1497) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010738 ∗∗∗ IBM Security bulletin: Information disclosure vulnerability affects IBM Sterling File Gateway (CVE-2017-1487) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010552 ∗∗∗ IBM Security bulletin: Cross-site scripting security vulnerability affects IBM Sterling B2B Integrator (CVE-2017-1482) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010762 ∗∗∗ IBM Security Bulletin: IBM Atlas eDiscovery Process Management vulnerable to SQL injection. ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005835 ∗∗∗ IBM Security Bulletin: IBM Atlas eDiscovery Process Management affected by vulnerability due to sensitive information stored in URL parameters. ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005836 ∗∗∗ SSA-350846 (Last Update 2017-11-30): Vulnerabilities in SWT3000 ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-350846… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2017
by Daily end-of-shift report 29 Nov '17

29 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-11-2017 18:00 − Mittwoch 29-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Annual Incident Analysis Report for the Trust Service Providers ∗∗∗ --------------------------------------------- One year after the eIDAS Regulation entered into force, ENISA publishes the first comprehensive overview of the annual summary reporting by the Member States. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/annual-incident-analysis-report… ∗∗∗ Teure Angriffe auf ISDN-Anlagen ∗∗∗ --------------------------------------------- Neuartige Angriffe auf ISDN-Anlagen unterlaufen die Betrugserkennung der Telefongesellschaften durch die Nutzung von Call-by-Call-Vorwahlen und maximieren damit den Schaden. Gefährdet sind auch Besitzer älterer Anlagen ohne Internetanbindung. --------------------------------------------- https://www.heise.de/newsticker/meldung/Teure-Angriffe-auf-ISDN-Anlagen-390… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Security Update 2017-001 ∗∗∗ --------------------------------------------- Available for: macOS High Sierra 10.13.1 Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password --------------------------------------------- https://support.apple.com/kb/HT208315 ∗∗∗ [webapps] Synology StorageManager 5.2 - Root Remote Command Execution ∗∗∗ --------------------------------------------- Vulnerability Summary The following advisory describes a remote command execution vulnerability found in Synology StorageManager. --------------------------------------------- https://www.exploit-db.com/exploits/43190/?rss ∗∗∗ RSA Authentication Agent SDK for C Error Handling Flaw May Let Remote Users Bypass Authentication on the Target System ∗∗∗ --------------------------------------------- In applications that do not properly handle return codes from the API/SDK, a remote user may be able to trigger an error handling flaw and bypass authentication on the target system. Systems with the API/SDK used in TCP asynchronous mode may be affected. The RSA Authentication Agent API/SDK for Java is not affected. --------------------------------------------- http://www.securitytracker.com/id/1039877 ∗∗∗ RSA Authentication Agent for Web for Apache Web Server Lets Remote Users Bypass Authentication on the Target System ∗∗∗ --------------------------------------------- A remote user can supply specially crafted data to trigger an input validation flaw and bypass authentication and gain access to resources ostensibly protected by the target agent. Agents configured to use the TCP protocol to communicate with the RSA Authentication Manager server are affected. The default configuration (UDP) is not affected. --------------------------------------------- http://www.securitytracker.com/id/1039876 ∗∗∗ Siemens SCALANCE W1750D, M800, and S615 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-332-01 ∗∗∗ Vuln: Multiple EMC RSA products CVE-2017-14378 Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101979 ∗∗∗ Vuln: Multiple Siemens SCALANCE Products Multiple Security Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101977 ∗∗∗ Cisco Secure Access Control System Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Meeting Center URL Redirection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Meeting Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Event Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Meeting Server Unauthorized Welcome Message Modification Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Network Recording Player Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco WebEx Recording Format and Advanced Recording Format Players ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Network Recording Player Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco UCS Central Software ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Multilayer Director, Nexus 7000 Series, and Nexus 7700 Series Switches Bash Shell Unauthorized Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Service Catalog SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus Series Switches Open Agent Container Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software Patch Installation Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software CLI Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software Interactive TCL Shell Escape Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software Image Signature Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software Guest Shell Unauthorized Internal Interface Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software Patch Installation Arbitrary File Write Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS System Software Patch Signature Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus Series Switches CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Jabber Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Jabber Clients Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Jabber Clients Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phone 8800 Series Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Local Packet Transport Services Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and NX-OS System Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Malformed MIME Header Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco Data Center Network Manager Software ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Meeting Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Application Policy Infrastructure Controller Local Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Use After Free Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Multiple NTPd Vulnerabilities in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Two Vulnerabilities in H323 protocol of Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - A CGI application vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Network Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Samba Remote Code Execution Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Denial of Service Vulnerability on Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability on Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ Security Advisory - Integer Overflow Vulnerability on Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Internet Pass Thru ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009183 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security AppScan Enterprise ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010003 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM BladeCenter systems (CVE-2016-7055) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2017
by Daily end-of-shift report 28 Nov '17

28 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Montag 27-11-2017 18:00 − Dienstag 28-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Further abusing the badPwdCount attribute ∗∗∗ --------------------------------------------- ... what happens if you store your password on all sorts of devices (for authenticating with Exchange, Skype For Business, etc.) and you change your password? That would result in Exchange, Windows or any other service trying to authenticate with an invalid password. If everything works correctly, you should be locked out very soon because of this. However, this is not the case. --------------------------------------------- https://blog.fox-it.com/2017/11/28/further-abusing-the-badpwdcount-attribut… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Thunderbird als Einfallstor für Schadcode ∗∗∗ --------------------------------------------- Nutzen Angreifer als kritisch eingestufte Sicherheitslücken in Thunderbird aus, könnten sie aus der Ferne Schadcode auf Computern ausführen. Eine abgesicherte Version löst diese Probleme. --------------------------------------------- https://heise.de/-3903023 ∗∗∗ Cisco Unified Computing System Manager and Cisco Firepower 9000 Remote Command Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in a CGI script in the Cisco Unified Computing System (UCS) Manager and the Cisco Firepower 9000 Series appliance could allow an unauthenticated, remote attacker to execute arbitrary commands on the Cisco UCS Manager or the Cisco Firepower 9000 Series appliance.The vulnerability is due to unprotected calling of shell commands in the CGI script. An attacker could exploit this vulnerability by sending a crafted HTTP request to the Cisco UCS Manager or the Cisco Firepower 9000 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ∗∗∗ DFN-CERT-2017-2131/">Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Foxit Reader und Foxit PhantomPDF bis inklusive Version 8.3.2.25013 für Windows ermöglichen einem in den meisten Fällen entfernten, nicht authentisierten Angreifer die Ausführung beliebigen Programmcodes, die Durchführung von Denial-of-Service (DoS)-Angriffen und das Ausspähen von Informationen. Voraussetzung für erfolgreiche Angriffe ist, dass es dem Angreifer gelingt, einen Benutzer dazu zu verleiten, eine schädlich manipulierte Datei zu öffnen. Zwei weitere Schwachstellen können vermutlich nur von einem lokalen Angreifer ausgenutzt werden, um Informationen auszuspähen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2131/ ∗∗∗ [Xen-announce] Xen Security Advisory 246 - x86: infinite loop due to missing PoD error checking ∗∗∗ --------------------------------------------- A malicious HVM guest can cause one pcpu to permanently hang. This normally cascades into the whole system freezing, resulting in a a host Denial of Service (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-246.html ∗∗∗ [Xen-announce] Xen Security Advisory 247 - Missing p2m error checking in PoD code ∗∗∗ --------------------------------------------- An unprivileged guest can retain a writable mapping of freed memory. Depending on how this page is used, it could result in either an information leak, or full privilege escalation. Alternatively, an unprivileged guest can cause Xen to hit a BUG(), causing a clean crash - ie, host-wide denial-of-service (DoS). --------------------------------------------- https://xenbits.xen.org/xsa/advisory-247.html ∗∗∗ GNU C Library (glibc) vulnerability CVE-2017-15671 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30314331 ∗∗∗ GNU C Library (glibc) vulnerability CVE-2017-15670 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35129173 ∗∗∗ IBM Security Bulletin: Vulnerabilities in ntp affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099664 ∗∗∗ IBM Security Bulletin: Vulnerability in bash affects IBM Chassis Management Module (CVE-2016-9401) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099641 ∗∗∗ IBM Security Bulletin: Vulnerabilities in curl affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099665 ∗∗∗ IBM Security Bulletin: Vulnerabilities in strongSwan affect IBM Chassis Management Module (CVE-2017-9022, CVE-2017-9023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099642 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxslt affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099666 ∗∗∗ IBM Security Bulletin: Vulnerabilities in strongswan affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099668 ∗∗∗ IBM Security Bulletin: Vulnerabilities in PHP affect IBM Chassis Management Module (CVE-2017-9227, CVE-2017-9226, CVE-2017-9224) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099644 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099667 ∗∗∗ IBM Security Bulletin: Vulnerability in libxml2 affects IBM Chassis Management Module (CVE-2016-9318) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099643 ∗∗∗ IBM Security Bulletin: Vulnerability in bind affects IBM Chassis Management Module (CVE-2017-3142) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099645 ∗∗∗ IBM Security Bulletin: Vulnerabilities in bind affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099669 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099671 ∗∗∗ IBM Security Bulletin: Vulnerability in libxml2 affects IBM Chassis Management Module (CVE-2017-5969) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099660 ∗∗∗ IBM Security Bulletin: Vulnerability in libgcrypt affects IBM Chassis Management Module (CVE-2017-7526) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099652 ∗∗∗ IBM Security Bulletin: Vulnerability in Linux Kernel affects IBM Flex System Networking Switch Products (CVE-2017-6214) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099693 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in expat (CVE-2012-6702 CVE-2016-5300) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099657 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libxml2 (CVE-2016-9318 CVE-2016-9597) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099655 ∗∗∗ IBM Security Bulletin: Vulnerability in Linux Kernel affects IBM RackSwitch Products (CVE-2017-6214) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099703 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM Flex System Networking Switch Products ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099702 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in X.Org libs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099653 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM RackSwitch Products ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099696 ∗∗∗ IBM Security Bulletin: Vulnerability in libxml2 affects IBM Flex System Networking Switch Products (CVE-2017-8872) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099694 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM RackSwitch Products ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099695 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in bind (CVE-2016-9131 CVE-2016-9147 CVE-2016-9444) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099654 ∗∗∗ IBM Security Bulletin: Vulnerability in libxml2 affects IBM RackSwitch Products (CVE-2017-8872) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099704 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM Flex System Networking Switch Products ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099701 ∗∗∗ IBM Security Bulletin: Vulnerability in X.Org libICE affects IBM Chassis Management Module (CVE-2017-2626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099661 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM Virtual Fabric 10Gb Switch Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099698 ∗∗∗ IBM Security Bulletin: Vulnerability in libxml2 affects IBM Virtual Fabric 10Gb Switch Module for IBM BladeCenter (CVE-2017-8872) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099700 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect IBM Virtual Fabric 10Gb Switch Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099699 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in X.Org libXrender (CVE-2016-7949 CVE-2016-7950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099650 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in X.Org libXv ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099649 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in X.Org libX11 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099648 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability in bind (CVE-2017-3135) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099658 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in bash (CVE-2014-6277 CVE-2014-6278 CVE-2016-0634 CVE-2016-7543) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099656 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in X.Org libXfixes (CVE-2016-7944 CVE-2013-1983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099651 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010856 ∗∗∗ IBM Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2017-12615, CVE-2017-12616, CVE-2017-12617) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010577 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Samba affect IBM Spectrum Scale SMB protocol access method (CVE-2017-12163, CVE-2017-12151, CVE-2017-12150) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010703 ∗∗∗ IBM Security Bulletin: Samba vulnerability issue on IBM SONAS (CVE-2017-12163) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010855 ∗∗∗ IBM Security Bulletin: IBM Cognos Controller 2017Q4 Security Updater: Multiple vulnerabilities have been identified in IBM Cognos Controller ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010679 ∗∗∗ IBM Security Bulletin: IBM Connections Docs is Vulnerable to Denial of Service Issue in IBM WebSphere Application Server (CVE-2016-8919) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005319 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2017
by Daily end-of-shift report 27 Nov '17

27 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-11-2017 18:00 − Montag 27-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Mobile Menace Monday: Chrome declares war on unwanted redirects ∗∗∗ --------------------------------------------- Google is initiating their plan to implement a few new changes in Chrome to defend against unwanted web redirects. A redirect happens when a different website from the URL that was entered opens in the browser. Sometimes redirects are intentional, as in when an organization/website is bought out by another entity and their traffic is redirected to the new owner. However, sometimes redirects are malicious and unwanted. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/11/chrome-declares-war-unwant… ===================== = Vulnerabilities = ===================== ∗∗∗ [Pdns-announce] PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 Available ∗∗∗ --------------------------------------------- We're happy to release PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 which contain a lot of backports from the 4.1.x branch. These releases also drop support for Botan 1.10 in favor of Botan 2.x. More importantly there are fixes for the following security advisories: - Authoritative Server - PowerDNS Security Advisory 2017-04[1]: Missing check on API operations (CVE-2017-15091) - Recursor - PowerDNS Security Advisory 2017-03[2]: Insufficient validation of DNSSEC signatures (CVE-2017-15090) - PowerDNS Security Advisory 2017-05[3]: Cross-Site Scripting in the web interface (CVE-2017-15092) - PowerDNS Security Advisory 2017-06[4]: Configuration file injection in the API (CVE-2017-15093) - PowerDNS Security Advisory 2017-07[5]: Memory leak in DNSSEC parsing (CVE-2017-15094) --------------------------------------------- https://mailman.powerdns.com/pipermail/pdns-announce/2017-November/001077.h… ∗∗∗ Schwerwiegende Sicherheitsprobleme in Mailserver-Software Exim - Workaround verfügbar ∗∗∗ --------------------------------------------- Das Exim-Projekt hat am 25. 11. 2017 Informationen zu einer schwerwiegenden Sicherheitslücke veröffentlicht. Details: Durch Ausnutzen eines Use-after-free Fehlers können Angreifer potentiell beliebigen Code auf betroffenen Mailservern ausführen. CVE-Nummern dazu: CVE-2017-16943, CVE-2017-16944 --------------------------------------------- http://www.cert.at/warnings/all/20171127.html ∗∗∗ Security Advisory - Improper Access Control Vulnerability in Some Huawei OceanStor products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171122-… ∗∗∗ Security Advisory - Stack Overflow Vulnerability in Baseband Module of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171125-… ∗∗∗ Security Advisory - Multiple Vulnerabilities of WPA and WPA2 Protocol in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171117-… ∗∗∗ IBM Security Bulletin: Security Bulletin: Samba vulnerability affects IBM SONAS (CVE-2017-9461) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010656 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-15906 in OpenSSH affects IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022349 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-14919 in Node.js affects IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022348 ∗∗∗ IBM Security Bulletin: Vulnerability in curl affects IBM Chassis Management Module (CVE-2017-7407) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099640 ∗∗∗ IBM Security Bulletin: Vulnerabilities in NTP affect IBM Chassis Management Module ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099639 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2017
by Daily end-of-shift report 24 Nov '17

24 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-11-2017 18:00 − Freitag 24-11-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Treat infosec fails like plane crashes – but hopefully with less death and twisted metal ∗∗∗ --------------------------------------------- We never learn from incidents, says Europol security adviser The world has never been so dependent on computers, networks and software so ensuring the security and availability of those systems is critical.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/11/24/infosec_dis… ∗∗∗ VB2017 video: FinFisher: New techniques and infection vectors revealed ∗∗∗ --------------------------------------------- Today, we publish the video of the VB2017 presentation by ESET researcher Filip Kafka, who looked at recent changes in the FinFisher government malware, including its infection vectors. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/11/vb2017-video-finfisher-new-t… ∗∗∗ 31 lückenhafte Banking-Apps: Forscher entlarven App-TAN-Verfahren abermals als unsicher ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen eine nicht ganz triviale Methode auf, über die Angreifer Online-Banking-Apps manipulieren könnten. Auch in Deutschland sind Banken betroffen. --------------------------------------------- https://heise.de/-3900945 ∗∗∗ Gefälschte BAWAG PSK-Sicherheits-App im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte BAWAG PSK-E-Mail. Darin fordern sie von Kund/innen, dass diese eine Sicherheits-App installieren. Sie ist Schadsoftware und ermöglicht es den Betrüger/innen, Zugriff auf das OnlineBanking-Konto ihrer Opfer zu erlangen. Kund/innen dürfen die angebliche Sicherheits-App nicht installieren. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-bawag-psk-sicherheit… ===================== = Vulnerabilities = ===================== ∗∗∗ Lancom: Wichtiges LCOS-Update stopft Sicherheitslücke ∗∗∗ --------------------------------------------- Die aktuelle Version von Lancoms Betriebssoftware für Router, Access Points und Switches beseitigt eine Sicherheitslücke, die Angreifern bei bestimmten Firmware-Versionen Zugriff auf Verwaltungsfunktionen ermöglicht. --------------------------------------------- https://www.heise.de/newsticker/meldung/Lancom-Wichtiges-LCOS-Update-stopft… ∗∗∗ FortiOS: Updates schützen unter anderem vor Cross-Site-Scripting ∗∗∗ --------------------------------------------- Fortinet warnt vor einer Lücke in seinem Betriebssystem FortiOS für FortiGate-Produkte. Einige Updates stehen schon bereit; weitere folgen in Kürze. --------------------------------------------- https://heise.de/-3901201 ∗∗∗ DFN-CERT-2017-2115/">OTRS: Zwei Schwachstellen ermöglichen u.a. die Ausführung beliebiger Kommandozeilenbefehle ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2115/ ∗∗∗ DFN-CERT-2017-2119/">FortiGate: Eine Schwachstelle ermöglicht u.a. einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2119/ ∗∗∗ IBM Security Bulletin: OpenSSL command line utility in IBM Workload Scheduler can run with elevated priviliges (CVE-2017-1716) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010947 ∗∗∗ SSA-346262 (Last Update 2017-11-23): Denial-of-Service in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-346262… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2017
by Daily end-of-shift report 23 Nov '17

23 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-11-2017 18:00 − Donnerstag 23-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Amazon Key Bug Lets Rogue Deliverymen Re-Enter Homes Without Being Recorded ∗∗∗ --------------------------------------------- A month after Amazon launched Amazon Key, security experts have already identified a flaw in the devices mode of operation that could allow rogue deliverymen to re-enter customer homes without being recorded. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-key-bug-lets-rogue-de… ∗∗∗ Firefox Nightly Build 58: Firefox warnt künftig vor Webseiten mit Datenlecks ∗∗∗ --------------------------------------------- Im Nightly Build 58 testet Mozillaeinige neue Funktionen: So sollen Nutzer bald personalisierte Artikelvorschläge von Pocket bekommen. Außerdem werden Nutzer womöglich bald vor Webseiten gewarnt, die im großen Stil Nutzerdaten verloren haben. --------------------------------------------- https://www.golem.de/news/firefox-nightly-build-58-firefox-warnt-kuenftig-v… ∗∗∗ systemd Vulnerability Leads to Denial of Service on Linux ∗∗∗ --------------------------------------------- Many Linux distributions are at risk due to a recently disclosed flaw in systemd: a flaw in its DNS resolver could cause a denial-of-service attack on vulnerable systems. The vulnerability is exploited by having the vulnerable system send a DNS query to a DNS server controlled by the attackers. The DNS server would then return a specially crafted .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/systemd-vulnerab… ∗∗∗ Advisory: Turla group malware ∗∗∗ --------------------------------------------- This report provides new intelligence derived from NCSC investigations into two tools used by the Turla group to target the UK, known as Neuron and Nautilus. --------------------------------------------- https://www.ncsc.gov.uk/alerts/turla-group-malware ∗∗∗ Erpressungstrojaner qkG manipuliert Word-Template zur weiteren Verbreitung ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine neue Ransomware gestoßen, die es vorrangig auf Word-Nutzer abgesehen hat. --------------------------------------------- https://heise.de/-3899132 ∗∗∗ Mac-Malware Proton gibt sich als "Symantec Malware Detector" aus ∗∗∗ --------------------------------------------- Getarnt als Malware-Erkennung wurde der Mac-Trojaner über ein vermeintliches Symantec-Blog vertrieben. Eine über soziale Netze verbreitete Falschmeldung soll Nutzer zur Installation bringen. --------------------------------------------- https://heise.de/-3900056 ∗∗∗ Schwerer Bug erlaubt, macOS via USB-Stick zu knacken ∗∗∗ --------------------------------------------- Apple hat Fehler bereits geschlossen – Reparaturwerkzeug als Angriffspunkt --------------------------------------------- http://derstandard.at/2000068349782 ===================== = Vulnerabilities = ===================== ∗∗∗ FortiWebManager 5.8.0 improperly handles admin login access ∗∗∗ --------------------------------------------- FortiWebManager 5.8.0 fails to check the admin password, granting access regardless the provided string. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-248 ∗∗∗ TablePress <= 1.8 - Authenticated XML External Entity (XXE) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8963 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in sudo. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099647 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in curl ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099663 ∗∗∗ IBM Security Bulletin: IBM Flex System FC5022 16Gb SAN Scalable Switch is affected by vulnerabilities in OpenSSH ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099674 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2017
by Daily end-of-shift report 22 Nov '17

22 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-11-2017 18:00 − Mittwoch 22-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Verbraucherschutz: Sportuhr-Hersteller gehen unsportlich mit Daten um ∗∗∗ --------------------------------------------- Herzfrequenz und Schlafphasen: Apple, Garmin und andere Hersteller von Sportuhren und Fitnesstrackern speichern auf ihren Portalen sehr persönliche Nutzerdaten. Bei einem Praxistest sind nur zwei Hersteller korrekt mit dem Auskunftsrecht des Kunden umgegangen. --------------------------------------------- https://www.golem.de/news/verbraucherschutz-sportuhr-hersteller-gehen-unspo… ∗∗∗ Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability ∗∗∗ --------------------------------------------- Intel recently released a security advisory detailing several security flaws in its Management Engine (ME). The advisory provides critical ME, Trusted Execution Technology (TXT), and Server Platform Services (SPS) firmware .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2… ∗∗∗ Sicherheitslücke in HP-Druckern – Firmware-Updates stehen bereit ∗∗∗ --------------------------------------------- Unter Verwendung spezieller Malware können Angreifer aus der Ferne auf Drucker von HP zugreifen und dort unter anderem gerätespezifische Befehle ausführen. Der Hersteller hat Updates bereitgestellt und empfiehlt die umgehende Aktualisierung. --------------------------------------------- https://heise.de/-3897679 ∗∗∗ Deutsche Behörde: Staat muss digital zurückschlagen können ∗∗∗ --------------------------------------------- In der Schweiz erlaubte "Hackbacks" als Beispiel genannt --------------------------------------------- http://derstandard.at/2000068302436 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-17-927: Adobe Acrobat Pro DC iframe Same Origin Policy Bypass Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-927/ ∗∗∗ IBM Security Bulletin: Security Vulnerabilities in IBM HTTP Server (CVE-2017-9798, CVE-2017-12618) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009782 ∗∗∗ RSA Authentication Manager Input Validation Flaw in Security Console Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039853 ∗∗∗ USN-3489-2: Berkeley DB vulnerability ∗∗∗ --------------------------------------------- http://www.ubuntu.com/usn/usn-3489-2/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2017
by Daily end-of-shift report 21 Nov '17

21 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Montag 20-11-2017 18:00 − Dienstag 21-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SSL Certificate Provider StartCom Shuts Down After Browser Ban ∗∗∗ --------------------------------------------- Certificate Authority (CA) StartCom announced last week, on Friday, its intention to cease operations by 2018, and completely shut down its certificate infrastructure by .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ssl-certificate-provider-sta… ∗∗∗ Factsheet Building a SOC: start small ∗∗∗ --------------------------------------------- An increasingly common way to achieve visibility and control of information security is to implement a Security Operations Centre (SOC). In order for a SOC to function successfully, it must be tied in with the business processes. This makes building a SOC .. --------------------------------------------- https://www.ncsc.nl/english/current-topics/factsheets/factsheet-building-a-… ∗∗∗ The Art of Fuzzing – Slides and Demos ∗∗∗ --------------------------------------------- Over the last weeks I presented talks on the topic of fuzzing at conferences such as DefCamp, Heise Dev Sec, IT-SeCX and BSides Vienna. As promised, I make my slides and demos available to the public with this blog post . --------------------------------------------- https://www.sec-consult.com/en/blog/2017/11/the-art-of-fuzzing-slides-and-d… ∗∗∗ Kritische Sicherheitslücke: Traffic von F5 BIG-IP-Appliances lässt sich entschlüsseln ∗∗∗ --------------------------------------------- Firewalls, Load-Balancer und andere BIG-IP-Systeme sind anfällig für einen Angriff, bei dem dritte den verschlüsselten SSL-Traffic zwischen Client und Appliance abhören können. Admins, die solche Systeme im Einsatz haben .. --------------------------------------------- https://heise.de/-3895060 ∗∗∗ Intel stopft neue Sicherheitslücken der Management Engine (SA-00086) ∗∗∗ --------------------------------------------- Intels Security Advisory SA-00086 beschreibt mehrere Fehler in der Firmware der Management Engine (ME 11.0 bis 11.7), in Trusted Execution Engine 3.0 und in den Server Platform Services (SPS 4.0). --------------------------------------------- https://heise.de/-3895175 ∗∗∗ OSX.Proton spreading through fake Symantec blog ∗∗∗ --------------------------------------------- A new variant of the OSX.Proton malware is being promoted via a fake Symantec blog site. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/o… ∗∗∗ Schwerwiegende Sicherheitsprobleme in Systemen mit aktuellen Intel-Prozessoren ∗∗∗ --------------------------------------------- Schwerwiegende Sicherheitsprobleme in Systemen mit aktuellen Intel-Prozessoren 21. November 2017 Beschreibung Wie Intel meldet (INTEL-SA-00086), gibt es aktuell mehrere Schwachstellen in Systemen mit .. --------------------------------------------- http://www.cert.at/warnings/all/20171121.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory 2017-07: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities .. --------------------------------------------- https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framewo… ∗∗∗ Samba: Use-after-free vulnerability ∗∗∗ --------------------------------------------- All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server. --------------------------------------------- https://www.samba.org/samba/security/CVE-2017-14746.html ∗∗∗ Samba: Server heap memory information leak ∗∗∗ --------------------------------------------- All versions of Samba from 3.6.0 onwards are vulnerable to a heap memory information leak, where server allocated heap memory may be returned to the client without being cleared. --------------------------------------------- https://www.samba.org/samba/security/CVE-2017-15275.html ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Cast Iron ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009696 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010685 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2017
by Daily end-of-shift report 20 Nov '17

20 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-11-2017 18:00 − Montag 20-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Defining and securing the Internet of Things: ENISA publishes a study on how to face cyber threats in critical information infrastructures ∗∗∗ --------------------------------------------- The study which is titled ‘Baseline Security Recommendations for Internet of Things in the context of critical information infrastructures’, aims to set the scene for IoT security in Europe. It serves as a reference point in this field and as a foundation for relevant forthcoming initiatives and developments. The ENISA report was developed in cooperation with the ENISA IoT Security Experts Group and additional key stakeholders. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/defining-and-securing-the-inter… ∗∗∗ New Open-Source IDS Tools ∗∗∗ --------------------------------------------- On November 16, 2017, [Dell] Secureworks released two open-source tools: Flowsynth and Dalton. These tools allow analysts to easily create and test network packet captures against IDS engines such as Suricata and Snort. --------------------------------------------- https://www.secureworks.com/blog/new-open-source-ids-tools ===================== = Vulnerabilities = ===================== ∗∗∗ DFN-CERT-2017-2081/">Procmail: Eine Schwachstelle ermöglicht u.a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- Eine Schwachstelle in 'procmail' ermöglicht einem entfernten, nicht authentisierten Angreifer die Durchführung eines Denial-of-Service (DoS)-Angriffes oder möglicherweise die Ausführung beliebigen Programmcodes. Voraussetzung ist, dass das Opfer eine schädlich präparierte Email-Nachricht des Angreifers öffnet. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2081/ ∗∗∗ DFN-CERT-2017-2085/">Moodle: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, einfach authentisierter Angreifer kann eine Schwachstelle in Moodle ausnutzen, um Informationen über Kursteilnehmer auszuspähen oder zu erraten. Moodle stellt die Versionen 3.1.9, 3.2.6, 3.3.3 und 3.4 als Sicherheitsupdates zur Behebung der Schwachstelle zur Verfügung. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2085/ ∗∗∗ Helping to Secure your PostgreSQL Database ∗∗∗ --------------------------------------------- But what about properly securing your PostgreSQL database? There are many ways you can go about securing a PostgreSQL database. Im going to highlight a few tips that I feel are important and essential to preventing unauthorized access into your data environment. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Helping-to-Secure-your-… ∗∗∗ Security Notice - Statement on Multiple Security Vulnerabilities in WPA/WPA2 ∗∗∗ --------------------------------------------- On October 16, 2017, an article titled "Key Reinstallation Attacks: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was released, which mentioned multiple security vulnerabilities in protocols Wi-Fi Protected Access (WPA) and WPA2. The researcher had reported some of these vulnerabilities to Huawei before disclosing them. Huawei immediately launched investigation and carried out technical communication with the researcher. At present, the products that are affected by vulnerabilities include Android-based Huawei smart phone and Huawei smart home products (Huawei smart router, Honor smart router and Honor TV Box). --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20171017-01-… ∗∗∗ SSA-689071 (Last Update 2017-11-17): DNSMasq Vulnerabilities in SCALANCE W1750D, SCALANCE M800 and SCALANCE S615 ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071… ∗∗∗ OpenSSH vulnerability CVE-2017-15906 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K89621551 ∗∗∗ Vuln: Varnish Cache CVE-2017-8807 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101886 ∗∗∗ Symantec Management Console Directory Traversal ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… ∗∗∗ FortiWeb Stored XSS vulnerability on webUI certificate view page ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-131 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One – Algo Risk Application (CVE-2017-7674, CVE-2017-7675) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008478 ∗∗∗ IBM Security Bulletin: IBM Tivoli Monitoring is affected by a vulnerability in its internal web server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010554 ∗∗∗ IBM Security Bulletin: An unspecified vulnerability in Oracle Java SE affects IBM Algo One Algo Risk Application (CVE-2017-10115) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009930 ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM Algo One – Core (CVE-2017-10115) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009138 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Modeler ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010687 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One – Algo Risk Application (CVE-2017-5664) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009583 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One – Algo Risk Application (CVE-2017-5648) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004763 ∗∗∗ IBM Security Bulletin: Samba vulnerability issue affects IBM Storwize V7000 Unified (CVE-2017-12163) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010785 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010746 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010740 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010745 ∗∗∗ IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Storwize V7000 Unified (CVE-2017-1000366) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010731 ∗∗∗ IBM Security Bulletin: IBM Content Collector for Emails,IBM Content Collector for File Systems, IBM Content Collector for SharePoint and IBM Content Collector for IBM Connections affected by vulnerabilities in International Components for Unicode ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22006357 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSH affects AIX (CVE-2017-15906) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009301 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2017
by Daily end-of-shift report 17 Nov '17

17 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-11-2017 18:00 − Freitag 17-11-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Projekthoster: Github zeigt Sicherheitswarnungen für Projektabhängigkeiten ∗∗∗ --------------------------------------------- Vor wenigen Wochen hat der Projekthoster Github ein Werkzeug vorgestellt, das die Abhängigkeiten eines Projekts besser darstellen soll. Das Konzept wird nun um Sicherheitshinweise und Warnungen erweitert, was die Pflege deutlich erleichtern sollte. --------------------------------------------- https://www.golem.de/news/projekthoster-github-zeigt-sicherheitswarnungen-f… ∗∗∗ Here’s How To Get Solid Browser Security [Update 2017] ∗∗∗ --------------------------------------------- Of all the threats out there, browser security is often forgotten. This is tragic because browsers are a favorite target for malicious hackers. They’re the main way you interact with the Internet. You Google things, you visit blogs, buy online, pay your bills or browse Facebook. If a malicious hacker breaks in, he will find everything about [...] --------------------------------------------- https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing/ ∗∗∗ Terdot banking trojan targets social media and email in addition to financial services ∗∗∗ --------------------------------------------- The Terdot banking trojan not only steals credit card information and login credentials for online financial services, but it also intercepts and modifies traffic on social media and email platforms, according to Bitdefender. --------------------------------------------- https://www.scmagazine.com/terdot-banking-trojan-targets-social-media-and-e… ∗∗∗ New White House Announcement on the Vulnerability Equities Process ∗∗∗ --------------------------------------------- The White House has released a new version of the Vulnerabilities Equities Process (VEP). This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You can read the new policy or the fact sheet, but the best place to start is Cybersecurity Coordinator Rob Joyces blog post. --------------------------------------------- https://www.schneier.com/blog/archives/2017/11/new_white_house_1.html ∗∗∗ Oracle scrambles to sew up horrid security holes in PeopleSofts Tuxedo ∗∗∗ --------------------------------------------- Nothing like unauthd hijacking, Heartbleed-style bugs to patch ASAP Oracle has published an out-of-band software update to address a handful of security flaws in parts of the PeopleSoft HR software. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/11/16/oracle_peop… ∗∗∗ US-CERT: Security Tip (ST17-001) Securing the Internet of Things ∗∗∗ --------------------------------------------- The Internet of Things is becoming an important part of everyday life. Being aware of the associated risks is a key part of keeping your information and devices secure. --------------------------------------------- https://www.us-cert.gov/ncas/tips/ST17-001 ∗∗∗ Over 530 cyber-activities during fifth edition of European Cyber Security Month ∗∗∗ --------------------------------------------- The 2017 European Cyber Security Month (ECSM) has ended. This was the fifth consecutive edition of the awareness campaign put together by the EU Cybersecurity Agency ENISA, the EU Commission’s DG CONNECT and their partners. ... During the month of October, some 530 activities such as conferences, workshops, seminars and online courses took place across Europe, --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/over-530-cyber-activities-durin… ∗∗∗ Supplementing Windows Audit, Alerting, and Remediation with PowerShell [PDF] ∗∗∗ --------------------------------------------- This paper outlines the use of PowerShell to supplement audit, alerting, and remediation platform for Windows environments. This answers the question of why use PowerShell for these purposes. Several examples of using PowerShell are included to start the thought process on why PowerShell should be the security multi-tool of first resort. Coverage includes how to implement these checks in a secure, automatable way. --------------------------------------------- https://www.sans.org/reading-room/whitepapers/assurance/supplementing-windo… ∗∗∗ Beware Catphishing attacks targeting the hearts of security pros ∗∗∗ --------------------------------------------- Malwarebytes researchers are warning IT workers seeking love online to beware "CatPhishing" scams which can leave entire companies devastated. --------------------------------------------- https://www.scmagazineuk.com/beware-catphishing-attacks-targeting-the-heart… ∗∗∗ Zehn Sicherheitslücken in Wiki-Software MediaWiki ∗∗∗ --------------------------------------------- Neue MediaWiki-Versionen schützen darauf aufsetzende Wikis unter anderem effektiver vor Brute-Force-Attacken. --------------------------------------------- https://heise.de/-3892250 ===================== = Vulnerabilities = ===================== ∗∗∗ BIG-IP SSL vulnerability CVE-2017-6168 ∗∗∗ --------------------------------------------- A BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server’s private key itself. --------------------------------------------- https://support.f5.com/csp/article/K21905460 ∗∗∗ Moxa NPort 5110, 5130, and 5150 ∗∗∗ --------------------------------------------- This advisory contains mitigation details for injection, information exposure, and resource exhaustion vulnerabilities in Moxa's NPort 5110, 5130, and 5150. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-320-01 ∗∗∗ Siemens SICAM ∗∗∗ --------------------------------------------- This advisory contains mitigation details for missing authentication for critical function, cross-site scripting, and code injection vulnerabilities in the Siemens SICAM products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-320-02 ∗∗∗ VMSA-2017-0019 ∗∗∗ --------------------------------------------- NSX for vSphere update addresses NSX Edge Cross-Site Scripting (XSS) issue. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0019.html ∗∗∗ VMSA-2017-0018 ∗∗∗ --------------------------------------------- VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0018.html ∗∗∗ VU#817544: Windows 8.0 and later fail to properly randomize all applications if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/817544 ∗∗∗ Bugtraq: [security bulletin] HPESBMU03794 rev.1 - HPE Insight Control, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541544 ∗∗∗ Bugtraq: [security bulletin] HPESBMU03795 rev.1 - HPE Matrix Operating Environment, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541543 ∗∗∗ DFN-CERT-2017-2068: Jenkins Plugin: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2068/ ∗∗∗ Security Advisory - Multiple Vulnerabilities of WPA and WPA2 Protocol in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171117-… ∗∗∗ Security Advisory - Sensitive Information Leak Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171117-… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affects IBM Rational DOORS Next Generation (CVE-2017-10141, CVE-2017-10196) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009204 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Rational DOORS Next Generation with potential for Cross-Site Scripting attack ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010329 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010744 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect IBM Storwize V7000 Unified (CVE-2017-7674, CVE-2017-7675) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010742 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect IBM SONAS (CVE-2017-7674, CVE-2017-7675) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010747 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Rational DOORS Next Generation with potential for Cross-Site Scripting attack ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010321 ∗∗∗ IBM Security Bulletin: IBM WebSphere Commerce could allow an authenticated attacker to obtain information such as user personal data. (CVE-2017-1484) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010103 ∗∗∗ IBM Security Bulletin: Samba vulnerability issue affects IBM Storwize V7000 Unified (CVE-2017-9461) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010671 ∗∗∗ IBM Security Bulletin: IBM DataQuant is affected by an Open Source Apache Poi vulnerability. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010565 ∗∗∗ IBM Security Bulletin: Samba vulnerability affects IBM Storwize V7000 Unified (CVE-2017-2619) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010689 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2017
by Daily end-of-shift report 16 Nov '17

16 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-11-2017 18:00 − Donnerstag 16-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Suspicious Domains Tracking Dashboard, (Thu, Nov 16th) ∗∗∗ --------------------------------------------- Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page dedicated to domain names. But how can we detect potentially malicious DNS activity if domains are not (yet) present in a blacklist? The typical case is DGAs of Domain Generation Algorithm used by some malware families. --------------------------------------------- https://isc.sans.edu/diary/rss/23046 ∗∗∗ Microsoft DDE protocol based malware attacks ∗∗∗ --------------------------------------------- Introduction: Over the past few weeks, there have been several reports about the Microsoft Dynamic Data Exchange (DDE) vulnerability. To no ones surprise, hackers have been quick to exploit this vulnerability to spread malware through rigged Microsoft Word documents. In this same timeframe, the Zscaler ThreatLabZ team has seen a number of these malicious documents using the DDE vulnerability to download and execute malware. Most of the payloads we saw were Remote Access Trojans (RATs) [...] --------------------------------------------- https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware… ∗∗∗ Quad9: Datenschutzfreundliche Alternative zum Google-DNS ∗∗∗ --------------------------------------------- Wer Google nicht wesentliche Teile seines Surfverhaltens anvertrauen möchte, kann ab sofort auf einen alternativen DNS-Dienst ausweichen: 9.9.9.9 statt 8.8.8.8. Doch auch dort gibt es Besonderheiten. --------------------------------------------- https://www.heise.de/newsticker/meldung/Quad9-Datenschutzfreundliche-Altern… ∗∗∗ Ciscos Voice Operating System ist empfänglich für Angreifer ∗∗∗ --------------------------------------------- Angreifer könnten die Kontrolle über Cisco-Geräte mit Voice Operating System an sich reißen. Sicherheitsupdates schließen diese und weitere Lücken in anderen Produkten. --------------------------------------------- https://heise.de/-3891402 ∗∗∗ Sharp rise in fileless attacks evading endpoint security ∗∗∗ --------------------------------------------- A new Ponemon Institute survey of 665 IT and security leaders finds that over-reliance on traditional endpoint security is leaving organizations exposed to significant risk. 54 percent of respondents said their company experienced a successful attack. Of those respondents, 77 percent were victim to fileless attack or exploit. "This survey reveals that ignoring the growing threat of fileless attacks could be costly for organizations." said Dr. Larry Ponemon [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/11/16/fileless-attacks-evading-endpoin… ===================== = Vulnerabilities = ===================== ∗∗∗ Update: Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution ∗∗∗ --------------------------------------------- Researcher haben eine schwerwiegende Sicherheitslücke in Microsoft Office entdeckt. Beschreibung Wenn ein Benutzer eine speziell präparierte Datei im Microsoft Excel-Format oder Microsoft Word-Format öffnet, kann in Folge ein Angreifer beliebigen Code, mit den Rechten des angemeldeten Benutzers, auf dem System ausführen. Die Schwachstelle basiert auf der Verwendung von [...] --------------------------------------------- http://www.cert.at/warnings/all/20171011.html ∗∗∗ Security Patch Compliance does not take effect on an activated Android device ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Bugtraq: CA20171114-01: Security Notice for CA Identity Governance ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541530 ∗∗∗ Yoast SEO <= 5.7.1 - Unauthenticated Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8960 ∗∗∗ DFN-CERT-2017-2056: FreeBSD: Mehrere Schwachstellen ermöglichen das Umgehen von Sicherheitsvorkehrungen und Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2056/ ∗∗∗ DFN-CERT-2017-2046: MongoDB: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2046/ ∗∗∗ DFN-CERT-2017-2066: Webkit2GTK: Mehrere Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2066/ ∗∗∗ Security Advisory - SQL Injection Vulnerabilities in Huawei UMA Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171116-… ∗∗∗ IBM Security Bulletin: Potential information leakages vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010512 ∗∗∗ IBM Security Bulletin: IBM MQ certain file URLs could cause a buffer overwrite (CVE-2017-9502) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005401 ∗∗∗ Broken access control & LINQ injection in Progress Sitefinity ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/broken-access-control-linq-i… ∗∗∗ Shibboleth Service Provider Error in Dynamic MetadataProvider Plugin Lets Remote Users Bypass Security Restrictions on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039808 ∗∗∗ MediaWiki Multiple Flaws Let Remote Users Modify Data, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Passwords ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039812 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2017
by Daily end-of-shift report 15 Nov '17

15 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-11-2017 18:00 − Mittwoch 15-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsrisiko: Oneplus-Smartphones kommen mit eingebautem Root-Zugang ∗∗∗ --------------------------------------------- Oneplus verkauft offenbar seit Jahren seine Smartphones mit einem vorinstallierten Entwicklertool von Qualcomm, das Zugriff auf zahlreiche Systemressourcen erlaubt. Per ADB ist ein Root-Zugriff auf das jeweilige Gerät möglich. Der Hersteller will die Anwendung herauspatchen. --------------------------------------------- https://www.golem.de/news/sicherheitsrisiko-oneplus-smartphones-kommen-mit-… ∗∗∗ Privater Schlüssel: DXC veröffentlicht AWS-Key und muss 64.000 US-Dollar zahlen ∗∗∗ --------------------------------------------- Private Schlüssel in freier Wildbahn sind ein verbreitetes Problem. Zuletzt traf es das Sicherheitsunternehmen DXC, das den AWS-Schlüssel versehentlich bei Github hochlud - und dann die Rechnung dafür bekam. --------------------------------------------- https://www.golem.de/news/privater-schluessel-dxc-veroeffentlicht-aws-key-u… ∗∗∗ These Campaigns Explain Why AV Detection for New Malware Remains Low ∗∗∗ --------------------------------------------- This year we saw massive spam campaigns like NonPetya or Locky fly below the radar of antivirus software and went undetected during the first hours or even days. Some of them actually went undetected even for months. Second-generation malware usually has the ability to evade detection and bypass antivirus programs users have installed on their computers to [...] --------------------------------------------- https://heimdalsecurity.com/blog/campaigns-av-detection-new-malware-low/ ∗∗∗ Confusion reigns over crypto vuln in Spanish electronic ID smartcards ∗∗∗ --------------------------------------------- Certs revoked, but where are the updates? The impact of a recently discovered cryptographic vulnerability involving smartcards is causing issues in Spain similar to those previously experienced in Estonia. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/11/15/spanish_id_… ∗∗∗ TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL ∗∗∗ --------------------------------------------- Original release date: November 14, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA17-318A ∗∗∗ TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer ∗∗∗ --------------------------------------------- Original release date: November 14, 2017 | Last revised: November 15, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA17-318B ∗∗∗ Secure Engineering Guidelines ∗∗∗ --------------------------------------------- Some best practices for building and trusting software. --------------------------------------------- https://medium.com/@HockeyInJune/secure-engineering-guidelines-3b8845ac3265 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates available in Foxit MobilePDF for iOS 6.1 ∗∗∗ --------------------------------------------- Foxit has released Foxit MobilePDF for iOS 6.1, which addresses potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php ∗∗∗ Microsoft Security Updates ∗∗∗ --------------------------------------------- MS17-023 Security Update for Adobe Flash Player MS17-022 Security Update for Microsoft XML Core Services MS17-021 Security Update for Windows DirectShow MS17-020 Security Update for Windows DVD Maker MS17-019 Security Update for Active Directory Federation Services MS17-018 Security Update for Windows Kernel-Mode Drivers MS17-017 Security Update for Windows Kernel MS17-016 Security Update for Windows IIS MS17-015 Security Update for Microsoft Exchange Server MS17-014 Security Update for [...] --------------------------------------------- https://technet.microsoft.com/en-us/security/bulletins ∗∗∗ QNX-2017-001 Multiple vulnerabilities impact BlackBerry QNX Software Development Platform ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-318-01 ∗∗∗ ABB TropOS ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-318-02 ∗∗∗ Philips IntelliSpace Cardiovascular System and Xcelera System Vulnerability ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-318-01 ∗∗∗ Cisco Security Advisories and Alerts ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ DFN-CERT-2017-2041: Oracle Fusion Middleware, Oracle Tuxedo: Mehrere Schwachstellen ermöglichen u.a. eine vollständige Komprommittierung ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2041/ ∗∗∗ Security Advisory - Buffer overflow Vulnerability in CameraISP Driver of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171115-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171108-… ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171115-… ∗∗∗ Security Advisory - Multiple Vulnerabilities in MTK Platform ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171115-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Java vulnerability CVE-2017-10176 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05911127 ∗∗∗ Linux kernel vulnerability CVE-2017-11176 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56450659 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2017
by Daily end-of-shift report 14 Nov '17

14 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Montag 13-11-2017 18:00 − Dienstag 14-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Breaking security controls using subdomain hijacking ∗∗∗ --------------------------------------------- Users obtain a domain name to establish a unique identity on the Internet. Domain names are not only used to serve names and addresses of computers and services but also to store security controls, such as SPF or CAA records. --------------------------------------------- https://securityblog.switch.ch/2017/11/14/subdomain-hijacking/ ∗∗∗ Investigating Command and Control Infrastructure (Emotet) ∗∗∗ --------------------------------------------- Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying Command and Control (C2) servers and understanding their topology, using Emotet as an example. --------------------------------------------- https://www.malwaretech.com/2017/11/investigating-command-and-control-infra… ∗∗∗ XZZX Cryptomix Ransomware Variant Released ∗∗∗ --------------------------------------------- A new CryptoMix Ransomware variant has been discovered that appends the .XZZX extension to encrypted files. This article will discuss the changes found in this new variant. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-va… ===================== = Vulnerabilities = ===================== ∗∗∗ SQL Injection in bbPress ∗∗∗ --------------------------------------------- During regular audits of our Sucuri Firewall (WAF), one of our researchers at the time, Slavco Mihajloski, discovered an SQL Injection vulnerability affecting bbPress. If the proper conditions are met, this vulnerability is very easy to abuse by any visitors on the victim’s website. Because details about this vulnerability have been made public today on a Hackerone report, and updating to the latest version of WordPress fixes the root cause of the problem, we chose to disclose this bug --------------------------------------------- https://blog.sucuri.net/2017/11/sql-injection-bbpress.html ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Flash Player (APSB17-33), Photoshop CC (APSB17-34), Connect (APSB17-35), Acrobat and Reader (APSB17-36), DNG Converter (APSB17-37), InDesign CC (APSB17-38), Digital Editions (APSB17-39), Shockwave Player (APSB17-40) and Adobe Experience Manager (APSB17-41). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1510 ∗∗∗ #AVGater: Systemübernahme via Quarantäne-Ordner ∗∗∗ --------------------------------------------- Eine neue Angriffstechnik nutzt die Wiederherstellungs-Funktion der Anti-Viren-Quarantäne, um Systeme via Malware zu kapern. Bislang reagierten sechs Software-Hersteller mit Updates. --------------------------------------------- https://heise.de/-3889107 ∗∗∗ Authentication bypass, cross-site scripting & code execution in Siemens SICAM RTU SM-2556 ∗∗∗ --------------------------------------------- The Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00) are affected by an authentication bypass vulnerability as the authentication checks are only performed client-side (JavaScript). Furthermore, the device is affected by cross site scripting vulnerabilities and outdated webserver software which allows code execution. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authentication-bypass-cross-… ∗∗∗ Vulnerability in windows antivirus products (IK-SA-2017-0002) ∗∗∗ --------------------------------------------- A privilege escalation and arbitrary write vulnerability was found in all our windows antivirus products. [...] Successful exploitation of this issue would allow an attacker to overwrite any memory region (including kernel) in the client machine with elevated privileges. --------------------------------------------- http://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-w… ∗∗∗ SAP Security Patch Day - November 2017 ∗∗∗ --------------------------------------------- On 14th of November 2017, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 9 updates to previously released security notes. --------------------------------------------- https://blogs.sap.com/2017/11/14/sap-security-patch-day-november-2017/ ∗∗∗ DFN-CERT-2017-2025/">OTRS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2025/ ∗∗∗ DFN-CERT-2017-2024/">Symantec Endpoint Encryption: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2024/ ∗∗∗ IBM Security Bulletin: Vulnerability may affect IBM® SDK for Node.js™ (CVE-2017-14919) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009851 ∗∗∗ IBM Security Bulletin: IBM® Db2® is affected by vulnerabilities in the IBM® SDK, Java Technology Edition Quarterly Critical Patch Updates (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010282 ∗∗∗ IBM Security Bulletin: Open Source VMware Fusion Vulnerabilities in IBM Pure Application System (CVE-2017-4903, CVE-2017-4904, CVE-2017-4905) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009145 ∗∗∗ Cacti Input Validation Flaw in Page Refresh Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039774 ∗∗∗ jQuery vulnerability CVE-2016-7103 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K95208524 ∗∗∗ Java vulnerability CVE-2017-10135 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23489380 ∗∗∗ Java vulnerability CVE-2017-10198 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04734043 ∗∗∗ Java SE and JRockit vulnerability CVE-2017-10243 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54747614 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2017
by Daily end-of-shift report 13 Nov '17

13 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-11-2017 18:00 − Montag 13-11-2017 18:00 Handler: Stephan Richter Co-Handler: Nina Bieringer ===================== = News = ===================== ∗∗∗ Detecting reflective DLL loading with Windows Defender ATP ∗∗∗ --------------------------------------------- Todays attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/11/13/detecting-reflective-dl… ∗∗∗ Keep An Eye on your Root Certificates, (Sat, Nov 11th) ∗∗∗ --------------------------------------------- A few times a year, we can read in the news that a rogue root certificate was installed without the user consent. The latest story that pops up in my mind is the Savitech audio drivers which silently installs a root certificate[1]. The risks associated with this kind of behaviour are multiple, the most important remains performing MitM attacks. New root certificates are not always the result of an attack or infection by a malware. Corporate end-points might also get new root certificates. --------------------------------------------- https://isc.sans.edu/diary/rss/23030 ∗∗∗ Sicherheitsupdate: VMware AirWatch Launcher for Android als Sprungbrett für Angreifer ∗∗∗ --------------------------------------------- VMware schließt mehrere Sicherheitslücken in AirWatch Launcher und AirWatch Console for Android. Davon gilt keine als kritisch. --------------------------------------------- https://heise.de/-3888725 ∗∗∗ Hintergrund: Cardiac Scan: Herzbewegung als biometrisches Authentifizierungsmerkmal ∗∗∗ --------------------------------------------- Zu den gängigen biometrischen Identifikationsmerkmalen wie Fingerabdrücken, Iris-Scans oder Gesichtserkennung könnte sich bald auch das menschliche Herz gesellen. Denn keines bewegt sich wie das andere. --------------------------------------------- https://heise.de/-3842874 ∗∗∗ Ordinypt: Vermeintlicher Erpressungstrojaner-Ausbruch in Deutschland gibt Rätsel auf ∗∗∗ --------------------------------------------- Die vor kurzem aufgetauchte Ransomware Ordinypt löscht Dateien, statt sie zu verschlüsseln und hat es mit Fake-PDF-Dateien auf deutsche Personalabteilungen abgesehen. Allerdings gibt es bisher kaum Anzeichen auf Infektionen in freier Wildbahn. --------------------------------------------- https://heise.de/-3889143 ∗∗∗ Keine Bank Austria-Kundendaten aktualisieren ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Bank Austria-Nachricht. Darin fordern sie Empfänger/innen dazu auf, dass sie eine Website aufrufen und auf dieser ihre persönlichen Kund/innendaten aktualisieren. Wer der Aufforderung nachkommt, übermittelt OnlineBanking-Zugangsdaten an Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-bank-austria-kundendaten-a… ∗∗∗ Fighting persistent malware with a UEFI scanner, or ‘What’s it all about UEFI?” ∗∗∗ --------------------------------------------- The biggest news in malware so far this year has been WannaCryptor a.k.a. WannaCry, and one reason that particular ransomware spread so fast was because it used a "top secret" exploit developed by the NSA, an agency known to have dabbled in UEFI compromise. --------------------------------------------- https://www.welivesecurity.com/2017/11/10/uefi-scanner-fighting-persistent-… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple Vulnerabilities in Foscam C1 Indoor HD Cameras ∗∗∗ --------------------------------------------- These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.Executive SummaryThe Foscam C1 Indoor HD Camera is a network-based camera that is marketed for use in a variety of applications, including use as a home security monitoring device. Talos recently identified several vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details for in a blog post here. --------------------------------------------- http://blog.talosintelligence.com/2017/11/foscam-multiple-vulns.html ∗∗∗ DSA-4031 ruby2.3 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4031 ∗∗∗ DSA-4032 imagemagick - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4032 ∗∗∗ Vuln: ManageEngine ServiceDesk CVE-2017-11511 Arbitrary File Download Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101788 ∗∗∗ WP Support Plus Responsive Ticket System <= 8.0.7 - Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8949 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2017
by Daily end-of-shift report 10 Nov '17

10 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-11-2017 18:00 − Freitag 10-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ "Eavesdropper" Vulnerability Exposes Millions of Private Conversations ∗∗∗ --------------------------------------------- Security researchers have discovered that tens of developers have left API credentials in hundreds of applications built around the Twilio service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/-eavesdropper-vulnerability-… ∗∗∗ Google Ranks Phishing Above Keyloggers & Password Reuse as Bigger Threat to Users ∗∗∗ --------------------------------------------- Research carried out by Google engineers and academics from the University of California, Berkeley and the International Computer Science Institute has revealed that phishing attacks pose a more significant threat to users losing access to their Google accounts when compared to keyloggers or password reuse. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ranks-phishing-above-… ∗∗∗ First Android Malware Detected Using New "Toast Overlay" Attack ∗∗∗ --------------------------------------------- A theoretical attack described by security researchers at the start of September has been integrated into a live malware distribution campaign for the first time. --------------------------------------------- https://www.bleepingcomputer.com/news/security/first-android-malware-detect… ∗∗∗ Ordinypt: Erpressungstrojaner bedroht deutsche Firmen ∗∗∗ --------------------------------------------- Allem Anschein nach geht in Deutschland ein neuer Trojaner um, der auf Personalabteilungen zielt und Lösegeld erpresst. Der in Delphi verfasste Trojaner lässt Opfern allerdings keine Chance, ihre Daten wiederzubekommen. --------------------------------------------- https://heise.de/-3887249 ∗∗∗ Achtung: Abzocker-Version des Windows Movie Maker ist Nummer Eins bei Google ∗∗∗ --------------------------------------------- Eine gefälschte Version des nicht mehr von Microsoft angebotenen Windows Movie Maker verführt Opfer zum Download und bittet sie dann zur Kasse. Die Betrüger-Webseite hat es sogar ganz vorne in die Ergebnisse vieler Suchmaschinen geschafft. --------------------------------------------- https://heise.de/-3887323 ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Reader and Acrobat (APSB17-36) ∗∗∗ --------------------------------------------- A prenotification Security Advisory has been posted regarding upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, November 14, 2017. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1508 ∗∗∗ AutomationDirect CLICK, C-More, C-More Micro, GS Drives, and SL-Soft SOLO ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-313-01 ∗∗∗ Schneider Electric InduSoft Web Studio and InTouch Machine Edition ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-313-02 ∗∗∗ iOS 11.1.1 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208255 ∗∗∗ DFN-CERT-2017-1998/">PostgreSQL: Mehrere Schwachstellen ermöglichen u.a. die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1998/ ∗∗∗ DFN-CERT-2017-1995/">GitLab: Mehrere Schwachstellen ermöglichen das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1995/ ∗∗∗ IBM Security Bulletin: IBM Content Classification is affected by a Open Source Commons FileUpload Apache Vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010229 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM QRadar Network Security Manager component of IBM Security SiteProtector System ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007568 ∗∗∗ SSA-901333 (Last Update 2017-11-09): KRACK Attacks Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-901333… ∗∗∗ VMSA-2017-0017 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0017.html ∗∗∗ VMSA-2017-0016 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0016.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2017
by Daily end-of-shift report 09 Nov '17

09 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-11-2017 18:00 − Donnerstag 09-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Evil pixels: researcher demos data-theft over screen-share protocols ∗∗∗ --------------------------------------------- Users see white noise, attackers see whatever they just stole from you Its the kind of thinking you expect from someone who lives in a volcano lair: exfiltrating data from remote screen pixel values. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/11/09/evil_pixels… ∗∗∗ Tausende Cisco-Switches offen im Internet – Angriffe laufen bereits ∗∗∗ --------------------------------------------- Über 200.000 Cisco Switches sind übers Internet erreichbar und lassen sich umkonfigurieren oder komplett übernehmen; mehrere tausend davon allein in Deutschland. Die Systeme werden bereits angegriffen, doch der Hersteller sieht keine Schwachstelle. --------------------------------------------- https://heise.de/-3882810 ∗∗∗ Hacker dringt weiter in Intels Management Engine vor ∗∗∗ --------------------------------------------- Maxim Goryachy von der Beratungsfirma Positive Technologies konnte eine Programmierschnittstelle zu Intels Managemet Engine öffnen, während Google-Experten die Firmware-Alternative NERF entwickeln. --------------------------------------------- https://heise.de/-3884928 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4022 libreoffice - security update ∗∗∗ --------------------------------------------- Marcin Noga discovered two vulnerabilities in LibreOffice, which couldresult in the execution of arbitrary code if a malformed PPT or DOCdocument is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-4022 ∗∗∗ BlackBerry powered by Android Security Bulletin – November 2017 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ VU#739007: IEEE P1735 implementations may have weak cryptographic protections ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/739007 ∗∗∗ 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields - Version: 1.0 ∗∗∗ --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4053440 ∗∗∗ Vuln: Multiple Asterisk Products CDR Remote Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101760 ∗∗∗ DFN-CERT-2017-1987: Jenkins: Zwei Schwachstellen ermöglichen u.a. Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1987/ ∗∗∗ DFN-CERT-2017-1991: Roundcube Webmail: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1991/ ∗∗∗ IBM Security Bulletin: Vulnerability in Service Assistant GUI affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-1710) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010788 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager appliances are affected by vulnerabilities in libtasn1 (CVE-2015-2806, CVE-2015-3622) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010224 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007609 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000357 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009304 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010191 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2017
by Daily end-of-shift report 08 Nov '17

08 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-11-2017 18:00 − Mittwoch 08-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SSH Server "Time to Live"? Less than a cup of coffee!, (Wed, Nov 8th) ∗∗∗ --------------------------------------------- After the stories I posted last week on SSH, I had some folks ask me about putting an SSH server on the public internet - apparently lots of lots of folks still think that's a safe thing to do. --------------------------------------------- https://isc.sans.edu/diary/rss/23020 ∗∗∗ BSI veröffentlicht Bericht zur Lage der IT-Sicherheit in Deutschland 2017 ∗∗∗ --------------------------------------------- Der Lagebericht der nationalen Cyber-Sicherheitsbehörde beschreibt und analysiert die aktuelle IT-Sicherheitslage, die Ursachen von Cyber-Angriffen sowie die verwendeten Angriffsmittel und -methoden. Daraus abgeleitet zeigt das BSI Lösungsansätze zur Verbesserung der IT-Sicherheit in Deutschland auf. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Bericht_zur… ∗∗∗ Amazon Updates AWS Dashboard to Warn Admins When Theyre Exposing S3 Buckets ∗∗∗ --------------------------------------------- Following a long string of data leaks caused by misconfigured S3 servers, Amazon has decided to add a visible warning to the AWS backend dashboard panel that will let server admins know if one of their buckets (storage environments) is publicly accessible and exposing potentially sensitive data on the Internet. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-updates-aws-dashboard… ∗∗∗ Windows 10: Microsoft stellt Sicherheitsrichtlinien für Windows-PCs auf ∗∗∗ --------------------------------------------- Ein aktueller Prozessor, UEFI 2.4 und am besten ein TPM-Chip: Neue Sicherheitsrichtlinien machen Systeme mit Fall Creators Update laut Microsoft erst sicher. Die 8-GByte-RAM-Regel kann jedoch etwa das eigene Surface Pro teils nicht einhalten. (Windows 10, Microsoft) --------------------------------------------- https://www.golem.de/news/windows-10-microsoft-stellt-sicherheitsrichtlinie… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory - Denial of Service Vulnerability on Huawei Smartphones ∗∗∗ --------------------------------------------- There is a denial of service vulnerability on Huawei Smartphones. An attacker could make an loop exit condition that cannot be reached by sending the crafted 3GPP message. Successful exploit could cause the device to reboot. (Vulnerability ID: HWPSIRT-2017-09085) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-15345. Huawei has released software updates to fix this vulnerability. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171108-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171108-… ∗∗∗ Security Advisory - Three Buffer Overflow Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171108-… ∗∗∗ Security Advisory - Command Injection Vulnerability in OpsMonitor ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171108-… ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact affected by IBM® SDK Java™ Technology Edition Quarterly CPU – Jul 2017 – Includes Oracle Jul 2017 CPU vulnerabilities in IBM WebSphere Application Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010162 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Guardium Data Redaction (multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008888 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager appliances are affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010223 ∗∗∗ Kernel vulnerabilities CVE-2017-12192 and CVE-2017-15274 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33567812 ∗∗∗ Java vulnerability CVE-2017-10118 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42185012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2017
by Daily end-of-shift report 07 Nov '17

07 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Montag 06-11-2017 18:00 − Dienstag 07-11-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Security: Malware mit legitimen Zertifikaten weit verbreitet ∗∗∗ --------------------------------------------- Aktuelle Forschungen werfen erneut ein schlechtes Licht auf den Umgang mit Zertifikaten. Fast 200 Malware-Proben sind mit legitimen digitalen Unterschriften ausgestattet gewesen. Damit kann die Schadsoftware Prüfungen durch Sicherheitssoftware bestehen. (Security, Virus) --------------------------------------------- https://www.golem.de/news/security-malware-mit-legitimen-zertifikaten-weit-… ∗∗∗ NCSC publishes factsheet Post-quantum cryptography ∗∗∗ --------------------------------------------- The emergence of quantum computers can have major implications for organizations that process sensitive information. Using a future quantum computer, one can decrypt data that is encrypted with popular cryptographic algorithms. The consequences are, however, even more serious. Encrypted data may already be intercepted, awaiting the possibility to decrypt the data with a future quantum computer. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-po… ∗∗∗ The Apple iOS 11 Privacy and Security Settings You Should Check ∗∗∗ --------------------------------------------- Heads up, iPhone owners. iOS 11 comes with a batch of security features that merit your attention. --------------------------------------------- https://www.wired.com/story/ios-11-privacy-security-settings ∗∗∗ Warnung vor gefälschter Bank Austria-Sicherheits-App ∗∗∗ --------------------------------------------- In einer gefälschten Bank Austria-Nachricht fordern Kriminelle Empfänger/innen dazu auf, dass sie eine Sicherheits-App installieren. Die Installation der Anwendung sei erforderlich, damit Kund/innen weiterhin das OnlineBanking ihrer Bank nützen können. In Wahrheit ist die Sicherheits-App Schadsoftware. Sie hilft den Betrüger/innen dabei, das Geld ihrer Opfer zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/phishing/warnung-vor-gefaelschter-bank-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Oh Brother: Hackers can crash your unpatched printers – researchers ∗∗∗ --------------------------------------------- DoSsing for fun and profit not just a nuisance, they warn Security researchers have said theyve uncovered a new way for hackers to crash Brother printers.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/11/07/brother_pri… ∗∗∗ DFN-CERT-2017-1975/">Chrome OS: Mehrere Schwachstellen ermöglichen u.a. die komplette Kompromittierung betroffener Systeme ∗∗∗ --------------------------------------------- Betroffene Software: Chrome OS < 62.0.3202.74 Betroffene Plattformen: Chrome OS Lösung: Patch; Chrome Stable Channel Update for Chrome OS, 27.10.2017 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1975/ ∗∗∗ DFN-CERT-2017-1972/">Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- Betroffene Software * Google Android Operating System < 5.0.2 2017-11-06 * Google Android Operating System < 5.1.1 2017-11-06 * Google Android Operating System < 6.0 2017-11-06 * Google Android Operating System < 6.0.1 2017-11-06 * Google Android Operating System < 7.0 2017-11-06 * Google Android Operating System < 7.1.1 2017-11-06 * Google Android Operating System < 7.1.2 2017-11-06 * Google Android Operating System < 8.0 2017-11-06 * LG Mobile Android < SMR-NOV-2017 * Samsung Mobile Android < SMR-NOV-2017 Betroffene Plattformen * Google Nexus * Google Pixel * Google Android Operating System * LG Mobile Android * Samsung Mobile Android --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1972/ ∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: * "File manager" (ameos_filemanager) * "T3Blog Extbase" (t3extblog) * "Recommend page " (pb_recommend_page) * "Formhandler" (formhandler) * "restler" (restler) * "CAB FAL search" (falsearch) * "Multishop" (multishop) --------------------------------------------- http://lists.typo3.org/pipermail/typo3-announce/2017/000413.html ∗∗∗ [20171103] - Core - Information Disclosure ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/ZBmazG0EZeU/715-20171103-c… ∗∗∗ [20171102] - Core - 2-factor-authentication bypass ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/KWysQZRrTWQ/713-20171102-c… ∗∗∗ [20171101] - Core - LDAP Information Disclosure ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/_Ud0fZdMIyg/714-20171101-c… ∗∗∗ DFN-CERT-2017-1973/">Symantec Endpoint Protection: Mehrere Schwachstellen ermöglichen u.a. die Eskalation von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1973/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008552 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Virtualization Engine TS7700 – July 2017 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010650 ∗∗∗ IBM Security Bulletin: A vulnerability in the SQLite component of the Response Time agent affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007610 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, versions 6, 7, & 8 affect Transformation Extender ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004827 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22010154 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, versions 6, 7, & 8 affect Transformation Extender ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008814 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2017
by Daily end-of-shift report 06 Nov '17

06 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-11-2017 18:00 − Montag 06-11-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ===================== = Vulnerabilities = ===================== ∗∗∗ DFN-CERT-2017-1961/">Tor Browser: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer kann mit Hilfe einer speziell präparierten URL, die von einem Benutzer des Tor Browsers aufgerufen wird, eine direkte Verbindung des Systems zu entfernten Hosts erzwingen und dadurch die echte IP-Adresse des betroffenen Systems ausspähen. Das Tor Projekt informiert über die Schwachstelle im Tor Browser auf Linux- und macOS-Systemen und stellt die Versionen 7.0.7 und 7.5a7 als Sicherheitsupdates zur Verfügung. Benutzer von Tails und dem vom Tor Projekt veröffentlichten Sandboxed Tor Browser sind nicht betroffen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1961/ ∗∗∗ Bugtraq: Webmin v1.850 Remote Code Execution (hyp3rlinx / apparitionsec) ∗∗∗ --------------------------------------------- The following advisory describes three (3) vulnerabilities found in Webmin version 1.850 ... XSS vulnerability that leads to Remote Code Execution CSRF Schedule arbitrary commands Server Side Request Forgery --------------------------------------------- http://www.securityfocus.com/archive/1/541481 ∗∗∗ Vuln: Avaya IP Office Contact Center CVE-2017-12969 Remote Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- Avaya IP Office Contact Center is prone to a remote buffer-overflow vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the user. Failed attempts will likely cause a denial-of-service condition. Avaya IP Office (IPO) versions 9.1.0 through 10.1 are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/101667 ∗∗∗ IBM Security Bulletin: IBM Web Experience Factory is affected by an Apache Commons FileUpload vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010215 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009870 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a cross-site request forgery vulnerability (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009242 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a cross-site request forgery vulnerability (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009240 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a cross-site request forgery vulnerability (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009591 ∗∗∗ IBM Security Bulletin: Security vulnerability in IBM Business Process Manager affects IBM Cloud Orchestrator (CVE-2017-1140) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000354 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2017-1137) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000349 ∗∗∗ BIG-IP FastL4 TMM vulnerability CVE-2017-6166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K65615624 ∗∗∗ PHP vulnerability CVE-2017-11628 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75543432 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2017
by Daily end-of-shift report 03 Nov '17

03 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-11-2017 18:00 − Freitag 03-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ E-Government: Estland blockiert 760.000 eID-Zertifikate ∗∗∗ --------------------------------------------- Die von einer Sicherheitslücke betroffenen Zertifikate der estnischen eID-Karte werden nun doch zurückgezogen, nachdem der RSA-Bug von Infineon öffentlich ist. Estland will die Zertifikate updaten und künftig auf elliptische Kurven setzen. --------------------------------------------- https://www.golem.de/news/e-government-estland-blockiert-760-000-eid-zertif… ∗∗∗ Savitech: USB-Audiotreiber installiert Root-Zertifikat ∗∗∗ --------------------------------------------- Ein Treiber von Savitech installiert Root-Zertifikate in Windows, mit denen theoretisch HTTPS-Verbindungen angegriffen werden können. Genutzt wird der USB-Audiotreiber in Geräten von Asus, Dell oder auch Audio-Technica. Die Zertifikate waren für Windows XP gedacht und wurden vergessen. --------------------------------------------- https://www.golem.de/news/savitech-usb-audiotreiber-installiert-root-zertif… ∗∗∗ Attacking SSH Over the Wire - Go Red Team!, (Thu, Nov 2nd) ∗∗∗ --------------------------------------------- So, now that we've talked about securing SSH and auditing SSH over the last few days, how about attacking SSH? --------------------------------------------- https://isc.sans.edu/diary/rss/23000 ∗∗∗ QtBot downloader discovered in geo-based Locky-Trickbot campaign ∗∗∗ --------------------------------------------- Researchers from Palo Alto Networks have uncovered QtBot, an intermediate-stage downloader that helps to deliver the final payload in geography-based Locky-Trickbot malspam campaigns. --------------------------------------------- https://www.scmagazine.com/qtbot-downloader-discovered-in-geo-based-locky-t… ∗∗∗ Call for Speakers - 30th Annual FIRST Conference ∗∗∗ --------------------------------------------- The 30th Annual FIRST Conference is coming back to Asia next June 24-29, 2018 and we are looking for engaging speakers to present on relevant incident response and information security topics. FIRST brings together a wide variety of security and incident response professionals from public, private and academic sectors around the world in an information exchange and co-operation of trust on issues of mutual interest. --------------------------------------------- https://www.first.org/conference/2018/cfp ∗∗∗ Sicherheitsupdates: Cisco schützt unter anderem Firewalls vor feindlicher Übernahme ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco schließt mehrere Sicherheitslücken in zum Beispiel der Aironet-Serie, Firepower-Reihe und im WebEx Meetings Server. --------------------------------------------- https://heise.de/-3878040 ∗∗∗ Mobile Pwn2Own: Hacker knacken Samsung S8 mittels beachtlicher Sicherheitslücken-Combo ∗∗∗ --------------------------------------------- Auf dem Mobile-Pwn2Own-Wettbewerb haben Hacker zwei Tage lang mobile Geräte von Apple, Huawei und Samsung erfolgreich attackiert. Der Veranstalter schüttete dafür in der Summe 515.000 US-Dollar aus. --------------------------------------------- https://heise.de/-3878099 ∗∗∗ BEC scammers are robbing art galleries and collectors ∗∗∗ --------------------------------------------- BEC scammers are targeting art galleries, collectors and artists, swindling them out of money and, on occasion, ruining their businesses. According to The Art Newspaper, nine art galleries in the UK and the US have been hit, some of them successfully. Insurance broker Adam Prideaux told the publication, the actual number of targets is likely considerably higher. The scammers’ MO The scammers start by finding a way to compromise an art dealer’s email account, and [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/11/03/bec-scammers-robbing-art-galleri… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet Virtual Private Network (EVPN) for Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload, resulting in a denial of service (DoS) condition, or potentially corrupt the BGP routing table, which could result in network instability. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DSA-4015 openjdk-8 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4015 ∗∗∗ DFN-CERT-2017-1954: Red Hat JBoss Enterprise Web Server: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1954/ ∗∗∗ DFN-CERT-2017-1955: Red Hat JBoss Fuse, Red Hat JBoss A-MQ: Mehrere Schwachstellen ermöglichen u.a. die Manipulation von Daten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1955/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Seven vulnerabilities in Google Dnsmasq ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171103-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2017
by Daily end-of-shift report 02 Nov '17

02 Nov '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-10-2017 18:00 − Donnerstag 02-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Bericht: Log-in-Daten in iOS-Apps können ausgespäht werden ∗∗∗ --------------------------------------------- Die Log-in-Daten können bei 111 der 200 populärsten iOS-Apps einfach ausgelesen werden. Möglich wird das durch eine unsaubere Implementierung von HTTPs. --------------------------------------------- https://futurezone.at/digital-life/bericht-log-in-daten-in-ios-apps-koennen… ∗∗∗ CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector, Surpassing SSDP and CharGen ∗∗∗ --------------------------------------------- With our DDoSMon, we are able to perform continuous and near real-time monitoring on global DDoS attacks. For quite a long time, DNS, NTP, CharGen and SSDP have been the most frequently abused services in DDoS reflection amplification attacks. They rank respectively 1st, 2nd, 3rd and [...] --------------------------------------------- http://blog.netlab.360.com/cldap-is-now-the-3rd-reflection-amplified-ddos-a… ∗∗∗ ENGELSYSTEM - User notification ∗∗∗ --------------------------------------------- [...] ab dem 12. Dezember 2015 wurden zwei professionelle Phishingdomains fuer das engelsystem, engelsystem.com und engelsystem.net, eingerichtet. Diese wurden erst jetzt von uns gefunden und danach zeitnah, nach einer Abuse-Meldung von uns, vom Hoster offline genommen. --------------------------------------------- https://engelsystem.de/usernotification.html ∗∗∗ Goodbye, login. Hello, heart scan. ∗∗∗ --------------------------------------------- A new non-contact, remote biometric tool could be the next advance in computer security. --------------------------------------------- http://www.buffalo.edu/news/releases/2017/09/034.html ∗∗∗ macOS 10.12 und 10.11: KRACK-Lücke gestopft, Loch im Schlüsselbund bleibt ∗∗∗ --------------------------------------------- Apple hat ein Sicherheitsupdate für Sierra und El Capitan veröffentlicht, in dem ein vieldiskutiertes WLAN-Problem behoben wurde. Ein anderer schwerwiegender Fehler wurde hingegen offenbar nicht angegangen. --------------------------------------------- https://heise.de/-3876491 ∗∗∗ Jetzt patchen! SQL-Injection-Lücke bedroht WordPress ∗∗∗ --------------------------------------------- Die abgesicherte WordPress-Version 4.8.3 ist erschienen. Nutzer sollten diese zügig installieren, da Angreifer Webseiten via SQL-Injection-Attacke übernehmen könnten. --------------------------------------------- https://heise.de/-3876623 ∗∗∗ Misconfigured Amazon S3 Buckets allowing man-in-the-middle attacks ∗∗∗ --------------------------------------------- https://www.scmagazineuk.com/news/misconfigured-amazon-s3-buckets-allowing-… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigation details for stack-based buffer overflow and untrusted pointer dereference vulnerabilities in Advantechs WebAccess. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02 ∗∗∗ Apple Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Original release date: October 31, 2017 Apple has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.US-CERT encourages users and administrators to review Apple security pages for the following products and apply the necessary updates: Cloud for Windows 7.1 iOS 11.1 iTunes 12.7.1 for Windows macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/31/Apple-Releases-Mul… ∗∗∗ OpenSSL Security Advisory [02 Nov 2017] ∗∗∗ --------------------------------------------- bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) --------------------------------------------- https://www.openssl.org/news/secadv/20171102.txt ∗∗∗ Vuln: EMC AppSync CVE-2017-14376 Local Hardcoded Credentials Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101626 ∗∗∗ DFN-CERT-2017-1928: FortiClient: Eine Schwachstelle ermöglicht die Eskalation von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1928/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ HPESBHF03787 rev.1 - Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT, Deserialization of Untrusted Data, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03787en… ∗∗∗ Security Advisory - Three Out-of-bounds Read Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171101-… ∗∗∗ Security Notice - Statement on a Security Vulnerability of Huawei Mate9 Pro Demonstrated at the Mobile Pwn20wn Contest in the PacSec Conference ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20171101-01-… ∗∗∗ EMC Unisphere for VMAX Virtual Appliance Authentication Bypass Lets Remote Users Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039704 ∗∗∗ Java SE vulnerability CVE-2017-10116 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35104614 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2017
by Daily end-of-shift report 31 Oct '17

31 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 30-10-2017 18:00 − Dienstag 31-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Flaws in Googles Bug Tracker Exposed Companys Vulnerability Database ∗∗∗ --------------------------------------------- A Romanian bug hunter has found three flaws in Googles official bug tracker, one of which could have been used to exposed sensitive vulnerabilities to unauthorized intruders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flaws-in-googles-bug-tracker… ∗∗∗ New VibWrite System Uses Finger Vibrations to Authenticate Users ∗∗∗ --------------------------------------------- Rutgers engineers have created a new type of user authentication system that relies on transmitting vibrations through a surface and having the user touch the surface to generate a unique signature. This signature is then used to approve or deny a user access to an app, room, or building. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/new-vibwrite-system-uses-f… ∗∗∗ Tales from the blockchain ∗∗∗ --------------------------------------------- We will tell you two unusual success stories that happened on the "miner front". The first story echoes the TinyNuke event and, in many respects gives an idea of the situation with miners. The second one proves that to get crypto-currency, you don’t need to "burn" the processor. --------------------------------------------- http://securelist.com/tales-from-the-blockchain/82971/ ∗∗∗ Engineers at Work: Automatic Static Detection of Malicious JavaScript ∗∗∗ --------------------------------------------- Our engineers at work examine the automatic static detection of malicious JavaScript. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/10/engineers-work-automati… ∗∗∗ Say what? Another reCaptcha attack, now against audio challenges ∗∗∗ --------------------------------------------- unCaptcha is the sound of security crumbling Whatever Google has in mind to replace its reCaptcha had better be ready soon: another research group has found a way to defeat it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/31/uncaptcha_r… ∗∗∗ Ebury and Mayhem server malware families still active ∗∗∗ --------------------------------------------- Ebury and Mayhem, two families of Linux server malware, about which VB published papers back in 2014, are still active and have received recent updates. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/10/ebury-and-mayhem-server-malw… ∗∗∗ [SANS ISC] Some Powershell Malicious Code ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.org: "Some Powershell Malicious Code". Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new [...] --------------------------------------------- https://blog.rootshell.be/2017/10/31/sans-isc-powershell-malicious-code/ ∗∗∗ WordPress 4.8.3 Security Release ∗∗∗ --------------------------------------------- WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. --------------------------------------------- https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ ∗∗∗ IoT-Botnetz ist wohl kleiner als angenommen ∗∗∗ --------------------------------------------- Aktuellen Analysen zufolge soll das Reaper-Botnetz mit 10.000 bis 20.000 IoT-Geräten wesentlich kleiner sein als zuvor angenommen. Der zugrunde liegende optimierte Mirai-Quellcode birgt aber viel Potenzial für erfolgreiche (DDoS-)Angriffe. --------------------------------------------- https://heise.de/-3876165 ∗∗∗ WhatsApp Messenger-Konto läuft nicht ab ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte WhatsApp-E-Mail. Darin behaupten sie, dass das Konto von Nutzer/innen ablaufe. Das Konto müssen Kund/innen für die weitere Verwendung des Programms verlängern. Dafür ist die Bekanntgabe von Kreditkartendaten notwendig. Wer der betrügerischen Aufforderung nachkommt, wird Opfer eines Datendiebstahls. --------------------------------------------- https://www.watchlist-internet.at/phishing/whatsapp-messenger-konto-laeuft-… ∗∗∗ Antimalware Day: Genesis of viruses… and computer defense techniques ∗∗∗ --------------------------------------------- To honor the work of Dr. Fred Cohen and Professor Len Adleman, and the foundation they laid for research of computer threats, we decided to declare November 3 as the first ever Antimalware Day. --------------------------------------------- https://www.welivesecurity.com/2017/10/31/antimalware-day-genesis-viruses/ ===================== = Vulnerabilities = ===================== ∗∗∗ ABB FOX515T ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper input validation vulnerability in ABBs FOX515T communication interface. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-304-01 ∗∗∗ Trihedral Engineering Limited VTScada ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper access control and uncontrolled search path element vulnerabilities in Trihedral Engineering Limiteds VTScada software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-304-02 ∗∗∗ NetIQ Access Manager 4.2 Support Pack 5 4.2.5.0-17 ∗∗∗ --------------------------------------------- Abstract: NetIQ Access Manager 4.2 Support Pack 5 build (version 4.2.5.0-17). This file contains updates for services contained in the NetIQ Access Manager 4.2 product. NetIQ recommends that all customers running Access Manager 4.2 release code apply this patch. The purpose of the patch is to provide a bundle of fixes for issues that have surfaced since NetIQ Access Manager 4.2 was released. These fixes include updates to the Access Gateway Appliance, Access Gateway Service, Identity Server, [...] --------------------------------------------- https://download.novell.com/Download?buildid=HcH_x-A_kgo~ ∗∗∗ Microsoft Windows 10 Creators Update 32-bit Ring-0 Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017100212 ∗∗∗ DSA-4011 quagga - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4011 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ HPESBHF03788 rev.1 - Hewlett Packard Enterprise Intelligent Management Center flexFileUpload Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03788en_us ∗∗∗ RPC portmapper vulnerability CVE-1999-0632 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K62832776 ∗∗∗ Apache OpenOffice patches four vulnerabilities in 4.1.4 update ∗∗∗ --------------------------------------------- https://www.scmagazineuk.com/news/apache-openoffice-patches-four-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2017
by Daily end-of-shift report 30 Oct '17

30 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-10-2017 18:00 − Montag 30-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Cybercrime-Report 2016: Zahl der Anzeigen 2016 fast um ein Drittel gestiegen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt präsentierte am 30. Oktober 2017 den Cybercrime-Report 2016. Demnach ist die Zahl der Cybercrime-Anzeigen 2016 im Vergleich zum Jahr davor um fast ein Drittel gestiegen. --------------------------------------------- http://www.bmi.gv.at/news.aspx?id=5062565A4F35476A2B38453D ∗∗∗ Matrix Ransomware Being Distributed by the RIG Exploit Kit ∗∗∗ --------------------------------------------- The Matrix Ransomware has started to be distributed through the RIG exploit kit. This article will provide information on what vulnerabilities are being targeted and how to protect yourself. --------------------------------------------- https://www.bleepingcomputer.com/news/security/matrix-ransomware-being-dist… ∗∗∗ Firefox to Get a Better Password Manager ∗∗∗ --------------------------------------------- Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefoxs built-in password management." --------------------------------------------- https://www.bleepingcomputer.com/news/software/firefox-to-get-a-better-pass… ∗∗∗ Pharmahersteller: Merck musste wegen NotPetya-Angriff Medikamente leihen ∗∗∗ --------------------------------------------- Auch das Pharmaunternehmen Merck Sharp und Dohme merkt den NotPetya-Angriff in seiner Bilanz: Rund 375 Millionen US-Dollar Ausfall gibt das Unternehmen durch die Ransomware an. Um den Betrieb trotz Produktionsausfällen aufrechtzuerhalten, hat sich die Firma sogar Medikamente bei den US-Behörden geliehen. --------------------------------------------- https://www.golem.de/news/pharmahersteller-merck-musste-wegen-notpetya-angr… ∗∗∗ Freie Linux-Firmware: Google will Server ohne Intel ME und UEFI ∗∗∗ --------------------------------------------- Nach dem Motto "Habt ihr Angst? Wir schon!" arbeitet ein Team von Googles Coreboot-Entwicklern mit Kollegen daran, Intels ME und das proprietäre UEFI auch in Servern unschädlich zu machen. Und das wohl mit Erfolg. --------------------------------------------- https://www.golem.de/news/freie-linux-firmware-google-will-server-ohne-inte… ∗∗∗ "Catch-All" Google Chrome Malicious Extension Steals All Posted Data, (Fri, Oct 27th) ∗∗∗ --------------------------------------------- It seems that malicious Google Chrome extensions are on the rise. A couple of months ago, I posted here about two of them which stole user credentials posted on banking websites and alike. Now, while analyzing a phishing e-mail, I went through a new malware with a slight different approach: instead of monitoring specific URLs and focusing .. --------------------------------------------- https://isc.sans.edu/diary/rss/22976 ∗∗∗ IOActive disclosed 2 critical flaws in global satellite telecommunications Inmarsat’s SATCOM systems ∗∗∗ --------------------------------------------- Flaws in Stratos Global AmosConnect 8 PC-based SATCOM service impact thousands of customers worldwide running the newest version of the platform that is used in vessels. Security researchers at IOActive have disclosed critical security vulnerabilities in the maritime Stratos Global’s AmosConnect 8.4.0 satellite-based shipboard communication .. --------------------------------------------- http://securityaffairs.co/wordpress/64902/breaking-news/satcom-amosconnect-… ∗∗∗ Hackers Can Steal Windows Login Credentials Without User Interaction ∗∗∗ --------------------------------------------- Microsoft has patched only recent versions Windows against a dangerous hack that could allow attackers to steal Windows NTLM password hashes without any user interaction. The hack is easy to carry out and doesn't involve advanced technical skills to pull off. All the attacker needs to do is to place a malicious SCF file inside publicly accessible Windows folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-steal-windows-lo… ∗∗∗ McAfee stoppt Einblick in den Quellcode ∗∗∗ --------------------------------------------- Der amerikanische Antivirenspezialist gibt im Rahmen eines grundsätzlichen Strategiewechsels seit einiger Zeit fremden Regierungen keinen Zugang mehr zum Quellcode. --------------------------------------------- https://heise.de/-3875393 ∗∗∗ HTTPS-Verschlüsselung: Google verabschiedet sich vom Pinning ∗∗∗ --------------------------------------------- Das Festnageln von Zertifikaten sollte gegen Missbrauch schützen. In der Praxis wurde es jedoch selten eingesetzt. Zu kompliziert und zu fehlerträchtig lautet nun das Verdikt; demnächst soll die Unterstützung aus Chrome wieder entfernt werden. --------------------------------------------- https://heise.de/-3876078 ∗∗∗ Windigo Still not Windigone: An Ebury Update ∗∗∗ --------------------------------------------- In 2014, ESET researchers wrote a blog post about an OpenSSH backdoor and credential stealer called Linux/Ebury In 2017, the team found a new Ebury .. --------------------------------------------- https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4008 wget - security update ∗∗∗ --------------------------------------------- Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code when connecting to a malicious HTTP server. --------------------------------------------- https://www.debian.org/security/2017/dsa-4008 ∗∗∗ DSA-4010 git-annex - security update ∗∗∗ --------------------------------------------- It was discovered that git-annex, a tool to manage files with git without checking their contents in, did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command. --------------------------------------------- https://www.debian.org/security/2017/dsa-4010 ∗∗∗ Oracle Security Alert Advisory - CVE-2017-10151 ∗∗∗ --------------------------------------------- This Security Alert addresses CVE-2017-10151, a vulnerability affecting Oracle Identity Manager. This vulnerability has a CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack. The Patch Availability Document referenced below provides a full workaround for this vulnerability, and will be updated when patches in addition to the workaround are available. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-40… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ F5 Security Advisories ∗∗∗ --------------------------------------------- https://support.f5.com/csp/new-updated-articles ∗∗∗ Security Advisory - Permission Control Vulnerability in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171030-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2017
by Daily end-of-shift report 27 Oct '17

27 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-10-2017 18:00 − Freitag 27-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Reaper IoT botnet aint so scary, contains fewer than 20,000 drones ∗∗∗ --------------------------------------------- But numbers arent everything, are they, Dyn? The Reaper IoT botnet is nowhere near as threatening as previously suggested, according to new research.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/27/reaper_iot_… ∗∗∗ A Bug in a Popular Maritime Platform Left Ships Exposed ∗∗∗ --------------------------------------------- The AmosConnect 8 web platform has vulnerabilities that could allow data to be exposed—underscoring deeper problems with maritime security. --------------------------------------------- https://www.wired.com/story/bug-in-popular-maritime-platform-isnt-getting-f… ∗∗∗ SANS Reading Room ∗∗∗ --------------------------------------------- The SANS Reading Room features over 2,730 original computer security white papers in 105 different categories. --------------------------------------------- https://www.sans.org/reading-room/ ∗∗∗ Sicherheitslücken in FortiOS mit hohem Angriffsrisiko ∗∗∗ --------------------------------------------- Im Betriebssystem FortiOS klaffen zwei Schwachstellen. Sicherheitsupdates reparieren das System. --------------------------------------------- https://heise.de/-3873331 ∗∗∗ The race to quantum supremacy and its cybersecurity impact ∗∗∗ --------------------------------------------- Quantum computing uses the power of atoms to perform memory and processing tasks and remains a theoretical concept. However, it is widely believed that its creation is possible. Most experts now agree that the creation of a quantum computer is simply a matter of engineering, and that the theoretical application will happen. Optimistic estimates for commercialization by the private sector vary between 5 and 15 years, while more conservative estimates by academics put it at [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/26/quantum-supremacy/ ∗∗∗ Please don’t buy this: smart locks ∗∗∗ --------------------------------------------- The announcement of Amazon Key, a smart lock paired with a security camera that lets couriers into your home, spawned our new series called "Please dont buy this." --------------------------------------------- https://blog.malwarebytes.com/security-world/2017/10/please-dont-buy-this-s… ∗∗∗ How to secure your router to prevent IoT threats? ∗∗∗ --------------------------------------------- The router is the first device that you must consider, since it not only controls the perimeter of your network, but all your traffic and information pass through it. --------------------------------------------- https://www.welivesecurity.com/2017/10/26/secure-your-router-prevent-iot-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II ∗∗∗ --------------------------------------------- On October 16th, 2017, a research paper with the title of "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available. This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ BlackBerry powered by Android Security Bulletin – October 2017 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ BlackBerry response to the impact of the vulnerabilities known as KRACK on BlackBerry products ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Korenix JetNet ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-299-01 ∗∗∗ Rockwell Automation Stratix 5100 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-299-02 ∗∗∗ Bugtraq: October 2017 - Bamboo - Critical Security Advisory ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541424 ∗∗∗ DFN-CERT-2017-1898/">F-Secure KEY: Mehrere Schwachstellen ermöglichen das Ausspähen von Anmeldeinformationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1898/ ∗∗∗ DFN-CERT-2017-1904/">GNU Wget: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1904/ ∗∗∗ DFN-CERT-2017-1905/">Node.js: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1905/ ∗∗∗ DFN-CERT-2017-1890/">PHP: Mehrere Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1890/ ∗∗∗ F5 Security Advisories ∗∗∗ --------------------------------------------- https://support.f5.com/csp/new-updated-articles ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Notice - Statement on Multiple Security Vulnerabilities in WPA/WPA2 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20171017-01-… ∗∗∗ Security Advisory - Permission Control Vulnerability in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171027-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2017
by Daily end-of-shift report 25 Oct '17

25 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-10-2017 18:00 − Mittwoch 25-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Whois Maintainer Accidentally Makes Password Hashes Available For Download ∗∗∗ --------------------------------------------- Whois maintainer for Asia Pacific notifies customers of an error where hashed authentication details for were inadvertently available for download. --------------------------------------------- http://threatpost.com/whois-maintainer-accidentally-makes-password-hashes-a… ∗∗∗ Malvertising Campaign Redirects Browsers To Terror Exploit Kit ∗∗∗ --------------------------------------------- Hackers behind the Terror exploit kit ramp up distribution via a two-month long malvertising campaign. --------------------------------------------- http://threatpost.com/malvertising-campaign-redirects-browsers-to-terror-ex… ∗∗∗ #BadRabbit: Wohl immer mehr Ziele von neuem Kryptotrojaner getroffen ∗∗∗ --------------------------------------------- Die russische Nachrichtenagentur Interfax ist am Dienstag durch einen Hackerangriff lahmgelegt worden. Fast alle Server seien betroffen, sagte der stellvertretende Generaldirektor Alexej Gorschkow. Es sei unklar, wann das Problem behoben werden könne. --------------------------------------------- https://heise.de/-3870349 ∗∗∗ DUHK: Zufallszahlengenerator ermöglicht Abhör-Attacke auf zehntausende Geräte ∗∗∗ --------------------------------------------- Mehr als 25.000 übers Internet erreichbare Fortinet-Geräte sind anfällig für passive Lauschangriffe gegen verschlüsselte Verbindungen. Verantwortlich ist fehlender Zufall. --------------------------------------------- https://heise.de/-3872013 ∗∗∗ Secure remote browsing: A different approach to thwart ever-changing threats ∗∗∗ --------------------------------------------- A defense-in-depth strategy is essential to modern enterprises, and organizations must deepen their defenses as quickly as possible to fully protect themselves. One promising technology proposes to achieve this by removing web browsing activity from endpoints altogether, while still enabling users to seamlessly and securely interact with the web-based content they need in order to do their jobs. The key to this approach? Secure remote browsing. --------------------------------------------- https://www.helpnetsecurity.com/2017/10/25/secure-remote-browsing/ ∗∗∗ Dell Lost Control of Key Customer Support Domain for a Month in 2017 ∗∗∗ --------------------------------------------- A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned. There is a program installed on virtually all Dell computers called "Dell Backup and Recovery Application." Its designed to help customers restore their data and computers to their pristine, factory default state should a problem occur [...] --------------------------------------------- https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-suppo… ∗∗∗ Digital forensics: How to recover deleted files ∗∗∗ --------------------------------------------- What happens exactly when you delete a file, and how easy or hard is it to recover deleted files? Learn the differences between delete, erase, and overwrite according to digital forensics. --------------------------------------------- https://blog.malwarebytes.com/security-world/2017/10/digital-forensics-reco… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS DoS on webUI through params JSON parameter ∗∗∗ --------------------------------------------- An authenticated user may pass a specially crafted payload to the params parameter of the JSON web API (URLs with /json) , which can cause the web user interface to be temporarily unresponsive. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-206 ∗∗∗ FortiOS web GUI logindisclaimer redir parameter XSS vulnerability ∗∗∗ --------------------------------------------- A reflected XSS vulnerability exists in FortiOS web GUI "Login Disclaimer" redir parameter. It is potentially exploitable by a remote unauthenticated attacker, via sending a maliciously crafted URL to a victim who has an open session on the web GUI. Visiting that malicious URL may cause the execution of arbitrary javascript code in the security context of the victims browser. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-113 ∗∗∗ osTicket 1.10.1 Shell Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017100187 ∗∗∗ DSA-4006 mupdf - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4006 ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025973 ∗∗∗ IBM Security Bulletin: The BigFix Platform has vulnerabilities that have been addressed in patch releases ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009673 ∗∗∗ IBM Security Bulletin: Network Time Protocol (NTP) vulnerability in AIX which is used by IBM OS Images in IBM PureApplication Systems (CVE-2016-9310) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009301 ∗∗∗ IBM Security Bulletin: A vulnerability in the agent core framework affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004193 ∗∗∗ XSA-236 ∗∗∗ --------------------------------------------- http://xenbits.xen.org/xsa/advisory-236.html Next End-of-Day report: 2017-10-27 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2017
by Daily end-of-shift report 24 Oct '17

24 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 23-10-2017 18:00 − Dienstag 24-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achieving Online Anonymity Using Tails OS ∗∗∗ --------------------------------------------- Achieving anonymity while browsing the internet is the main concern for many people; everybody wants to make their communications secure and private. However, few in the world have really achieved this objective and many are still facing difficulties and trying different techniques to achieve online privacy. The InfoSec community has produced various tools and techniques that utilize the TOR network to send the data securely and privately. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/achieving-online-anony… ∗∗∗ DUHK Crypto Attack Recovers Encryption Keys, Exposes VPN Connections, More ∗∗∗ --------------------------------------------- After last week we had the KRACK and ROCA cryptographic attacks, this week has gotten off to a similarly "great" start with the publication of a new crypto attack known as DUHK (Dont Use Hard-coded Keys) [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/duhk-crypto-attack-recovers-… ∗∗∗ Stop relying on file extensions, (Tue, Oct 24th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting file in my spam trap. It was called '16509878451.XLAM'. To be honest, I was not aware of this extension and I found this on the web: "A file with the XLAM file extension is an Excel Macro-Enabled Add-In file that [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22962 ∗∗∗ Study: 18% of fed agencies embrace DMARC yet 25% of email fraudulent, unauthenticated ∗∗∗ --------------------------------------------- Of the 18 percent of agencies that do have DMARC in play, only half are maximizing the benefits of the standard by quarantining or rejecting unauthenticated email to prevent domain name spoofing. --------------------------------------------- https://www.scmagazine.com/study-18-of-fed-agencies-embrace-dmarc-yet-25-of… ∗∗∗ News Feature: Google Security interview "human solutions - the way to go." ∗∗∗ --------------------------------------------- Google has launched of a range of personal and corporate security enhancements (below) this month. Google security expert Allison Miller, spoke to SC about the organisations approach to security and privacy concerns. --------------------------------------------- https://www.scmagazine.com/news-feature-google-security-interview-human-sol… ∗∗∗ Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta ∗∗∗ --------------------------------------------- Plus: Azure gets all Cray-cray A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/23/fyi_windows… ∗∗∗ Let’s Enhance ! How we found @rogerkver’s $1000 wallet obfuscated private key. ∗∗∗ --------------------------------------------- We could have simply named this post “How great QR code are and how we recovered one from almost nothing” but it’s much more interesting when the QR code is the key to a $1000 Bitcoin wallet. --------------------------------------------- https://medium.com/@SassanoM/lets-enhance-how-we-found-rogerkver-s-1000-wal… ∗∗∗ Android-Schädling Lokibot ist eine Transformer-Malware ∗∗∗ --------------------------------------------- In erster Linie ist Lokibot auf Bankdaten aus. Wer gegen den Trojaner vorgeht, bekommt ein anderes Gesicht des Schädlings zu sehen und sieht sich mit Erpressung konfrontiert. --------------------------------------------- https://heise.de/-3868947 ∗∗∗ Hackerangriff: Russische Nachrichtenagentur Interfax wohl von Kryptotrojaner getroffen ∗∗∗ --------------------------------------------- Die russische Nachrichtenagentur Interfax ist am Dienstag durch einen Hackerangriff lahmgelegt worden. Fast alle Server seien betroffen, sagte der stellvertretende Generaldirektor Alexej Gorschkow. Es sei unklar, wann das Problem behoben werden könne. --------------------------------------------- https://heise.de/-3870349 ∗∗∗ Reaper: Calm Before the IoT Security Storm? ∗∗∗ --------------------------------------------- Its been just over a year since the world witnessed some of the worlds top online Web sites being taken down for much of the day by "Mirai," a zombie malware strain that enslaved "Internet of Things" (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks. Now, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT attack malware [...] --------------------------------------------- https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-sto… ∗∗∗ Keine Aktualisierung bei Netflix notwendig ∗∗∗ --------------------------------------------- Datendiebe versenden eine gefälschte Netflix-Nachricht. Darin fordern sie Kund/innen dazu auf, dass sie ihre Zahlungsinformationen auf einer Website aktualisieren. Wer das macht, übermittelt sensible Daten an die Betrüger/innen. Sie können auf Kosten ihres Opfers einkaufen gehen und Verbrechen unter seinem Namen begehen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-aktualisierung-bei-netflix… ∗∗∗ Reducing Vulnerability to Cyberattacks ∗∗∗ --------------------------------------------- The need for secure systems is a growing priority for Industry Control System (ICS) operators. Recent high profile cyber-attacks against critical infrastructure, coupled with the growing list of published equipment [...] --------------------------------------------- http://blog.schneider-electric.com/cyber-security/2017/10/23/reducing-vulne… ∗∗∗ Kiev metro hit with a new variant of the infamous Diskcoder ransomware ∗∗∗ --------------------------------------------- Public sources have confirmed that computer systems in the Kiev Metro, Odessa naval port, Odessa airport, Ukrainian ministries of infrastructure and finance, and also a number of organizations in Russia are among the affected organizations.The post Kiev metro hit with a new variant of the infamous Diskcoder ransomware appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamo… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix XenServer Security Update for CVE-2017-15597 ∗∗∗ --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise the host. --------------------------------------------- https://support.citrix.com/article/CTX229057 ∗∗∗ Cisco Spark Hybrid Calendar Service Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect Java Server Faces (JSF) used by WebSphere Application Server (CVE-2017-1583, CVE-2011-4343) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008707 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Functional Tester (CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008877 ∗∗∗ IBM Security Bulletin: IBM Streams may be affected by XMLsoft Libxml2 vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009670 ∗∗∗ IBM Security Bulletin: IBM Streams may be affected by XMLsoft Libxml2 vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009715 ∗∗∗ cURL Buffer Overread in Processing IMAP FETCH Response Data Lets Remote Users Deny Service or Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039644 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2017
by Daily end-of-shift report 23 Oct '17

23 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-10-2017 18:00 − Montag 23-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ National Cybersecurity Awareness Month – Words to Avoid ∗∗∗ --------------------------------------------- TGIF (Thank Goodness, It’s Friday)! Yes, I altered the ‘G’ to be politically correct, but being politically correct has little...The post National Cybersecurity Awareness Month – Words to Avoid appeared first on BeyondTrust. --------------------------------------------- https://www.beyondtrust.com/blog/national-cybersecurity-awareness-month-wor… ∗∗∗ Performing & Preventing SSL Stripping: A Plain-English Primer ∗∗∗ --------------------------------------------- Over the past few days we learnt about a new attack that posed a serious weakness in the encryption protocol used to secure all modern Wi-Fi networks. The KRACK Attack effectively allows interception of traffic on wireless networks secured by the WPA2 protocol. Whilst it is possible to backward patch [...] --------------------------------------------- https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-eng… ∗∗∗ Krack-Angriff: AVM liefert erste Updates für Repeater und Powerline ∗∗∗ --------------------------------------------- Nach dem Bekanntwerden der WPA2-Schwäche Krack hat AVM nun erste Geräte gepatcht. Weitere Patches sollen folgen, jedoch nicht für Fritzboxen. --------------------------------------------- https://www.golem.de/news/krack-angriff-avm-liefert-erste-updates-fuer-repe… ∗∗∗ Mirai-Nachfolger: Experten warnen vor "Cyber-Hurrican" durch neues Botnetz ∗∗∗ --------------------------------------------- Kriminelle nutzen Sicherheitslücken in IoT-Geräten zum Aufbau eines großen Botnetzes aus. Dabei verwendet der Bot Code von Mirai, unterscheidet sich jedoch von seinem prominenten Vorgänger. --------------------------------------------- https://www.golem.de/news/mirai-nachfolger-experten-warnen-vor-cyber-hurric… ∗∗∗ Security+ Domain #6: Cryptography ∗∗∗ --------------------------------------------- Cryptography falls into the sixth and last domain of CompTIA’s Security+ exam (SYO-401) and contributes 12% to the exam score. The Security+ exam tests the candidate’s knowledge of cryptography and how it relates to the security of networked and stand-alone systems in organizations. To pass the Security+ exam, the candidates must understand both symmetric and [...] --------------------------------------------- http://resources.infosecinstitute.com/security-domain-6-cryptography/ ∗∗∗ Introducing Windows Defender Application Control ∗∗∗ --------------------------------------------- Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Many organizations, like [...] --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/10/23/introducing-windows-def… ∗∗∗ Google to add "DNS over TLS" security feature to Android OS ∗∗∗ --------------------------------------------- No doubt your Internet Service Provides (ISPs), or network-level hackers cannot spy on https communications. But do you know — ISPs can still see all of your DNS requests, allowing them to know what websites you visit. Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks. Almost every Internet activity starts with a [...] --------------------------------------------- https://thehackernews.com/2017/10/android-dns-over-tls.html ∗∗∗ TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors ∗∗∗ --------------------------------------------- Original release date: October 20, 2017 | Last revised: October 21, 2017 Systems Affected Domain ControllersFile ServersEmail Servers Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA17-293A ∗∗∗ New FakeNet-NG Feature: Content-Based Protocol Detection ∗∗∗ --------------------------------------------- I (Matthew Haigh) recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and adapts to SSL so that any protocol can be used with SSL and handled appropriately by FakeNet-NG. We were motivated to add this feature since it was a feature of the original FakeNet and it was [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-p… ∗∗∗ Krypto-Mining im Browser: Software-Hersteller wollen Nutzer besser schützen ∗∗∗ --------------------------------------------- Mining-Skripte zwacken beim Surfen heimlich Rechenleistung zum Schürfen von Krypto-Währungen ab. Adblocker- und Browser-Hersteller erarbeiten Gegenstrategien. Einige Skript-Entwickler reagieren ihrerseits, indem sie Nutzer künftig um Erlaubnis fragen. --------------------------------------------- https://heise.de/-3865577 ∗∗∗ Kanadischer Geheimdienst veröffentlicht erstmals Sicherheitssoftware ∗∗∗ --------------------------------------------- CSE gilt als besonders schweigsam. Nun überraschen die Spione mit der Herausgabe eines Dateiformats sowie eines Frameworks. Es soll helfen, in vielen Dateien gleichzeitig Malware aufzuspüren. --------------------------------------------- https://heise.de/-3867343 ∗∗∗ Mac-Shareware-Downloads mit signiertem Trojaner ∗∗∗ --------------------------------------------- Die Apps Folx und Elmedia Player wurden nach einem Hack über deren Websites inklusive der "Proton"-Malware vertrieben. Der Hersteller empfiehlt eine Neuinstallation betroffener Maschinen. --------------------------------------------- https://heise.de/-3867420 ∗∗∗ "Cyber Conflict" Decoy Document Used In Real Cyber Conflict ∗∗∗ --------------------------------------------- This post was authored by Warren Mercer, Paul Rascagneres and Vitor VenturaUpdate 10/23: CCDCOE released a statement today on their websiteIntroductionCisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S. conference. --------------------------------------------- http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco AMP for Endpoints Static Key Vulnerability ∗∗∗ --------------------------------------------- On October 20th, 2017, Cisco PSIRT was notified by the internal product team of a security vulnerability in the Cisco AMP For Endpoints application that would allow an authenticated, local attacker to access a static key value stored in the local application software.The vulnerability is due to the use of a static key value stored in the application used to encrypt the connector protection password. An attacker could exploit this vulnerability by gaining local, administrative access to a [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1859: OpenJFX: Zwei Schwachstellen ermöglichen eine komplette Kompromittierung der Software ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1859/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009296 ∗∗∗ IBM Security Bulletin: IBM b-type Network/Storage switches is affected by Open Source OpenSSL Vulnerabilities (OpenSSL and Node.JS consumers). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010726 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in cURL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009692 ∗∗∗ BMC Remedy IT Service Management Suite Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information and Conduct Cross-Site Scripting Attacks and Let Remote Authenticated Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039637 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2017
by Daily end-of-shift report 20 Oct '17

20 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-10-2017 18:00 − Freitag 20-10-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KRACK-Entdecker: "Sicherheitsupdates einfordern" ∗∗∗ --------------------------------------------- Der belgische Sicherheitsforscher Mathy Vanhoef, der die Sicherheitslücke KRACK in WLAN-Netzwerken entdeckt hat, geht davon aus, dass viele Geräte kein Update erhalten werden. --------------------------------------------- https://futurezone.at/digital-life/krack-entdecker-sicherheitsupdates-einfo… ∗∗∗ Canadian spooks release their own malware detection tool ∗∗∗ --------------------------------------------- Canuck NSA/GCHQ equivalent open-sources Assemblyline, to make us all as safe as Canada Canadas Communications Security Establishment has open-sourced its own malware detection tool.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/20/canadian_co… ===================== = Vulnerabilities = ===================== ∗∗∗ Boston Scientific ZOOM LATITUDE PRM Vulnerabilities ∗∗∗ --------------------------------------------- This advisory contains compensating controls for use of hard-coded cryptographic key and missing encryption of sensitive data vulnerabilities in Boston Scientific’s ZOOM LATITUDE Programmer/Recorder/Monitor Model 3120. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-292-01 ∗∗∗ SpiderControl MicroBrowser ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in SpiderControls MicroBrowser. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-292-01 ∗∗∗ Cisco Nexus Series Switches CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI of Cisco NX-OS System Software running on Cisco Nexus Series Switches could allow an authenticated, local attacker to perform a command injection attack.The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco-Updates schließen mehrere Lücken ∗∗∗ --------------------------------------------- Mit aktuellen Updates schließt Cisco insgesamt 17 Sicherheitslücken. Eine davon ist kritisch und erlaubt den Remote-Zugriff auf die Cloud Services Platform (CSP) 2100. --------------------------------------------- https://heise.de/-3865704 ∗∗∗ Oracle Critical Patch Update Advisory - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ∗∗∗ Security Notice - Statement on App Lock Bypass Vulnerability in Huawei EMUI ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170922-01-… ∗∗∗ IBM Security Bulletin: A vulnerability in libsoup affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025834 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Apache HTTPD affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025773 ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2017-1583, CVE-2011-4343) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009704 ∗∗∗ IBM Security Bulletin: Vulnerabilities in MariaDB affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025771 ∗∗∗ IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025779 ∗∗∗ IBM Security Bulletin: Vulnerabilities in TigerVNC affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025772 ∗∗∗ IBM Security Bulletin: Vulnerabilities in glibc affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025781 ∗∗∗ IBM Security Bulletin: Vulnerabilities in PostgreSQL affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025764 ∗∗∗ IBM Security Bulletin: A vulnerability in OpenLDAP affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025766 ∗∗∗ IBM Security Bulletin: Vulnerabilities in git affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025756 ∗∗∗ IBM Security Bulletin: A vulnerability in Spice affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025754 ∗∗∗ IBM Security Bulletin: Vulnerabilities in tcpdump affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025768 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Planning Analytics Express and IBM Cognos Express. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009518 ∗∗∗ SafeNet External Network HSM script vulnerability CVE-2017-6165 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74759095 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2017
by Daily end-of-shift report 19 Oct '17

19 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-10-2017 18:00 − Donnerstag 19-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BoundHook Attack Exploits Intel Skylake MPX Feature ∗∗∗ --------------------------------------------- A new attack method takes advantage a feature in Intel’s Skylake microprocessor allowing for post-intrusion application hooking and stealth manipulation of applications. --------------------------------------------- http://threatpost.com/boundhook-attack-exploits-intel-skylake-mpx-feature/1… ∗∗∗ US-CERT study predicts machine learning, transport systems to become security risks ∗∗∗ --------------------------------------------- Youve been warned The Carnegie-Mellon Universitys Software Engineering Institute has nominated transport systems, machine learning, and smart robots as needing better cyber-security risk and threat analysis. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/19/cert_cc_thr… ∗∗∗ A Look at Locky Ransomware’s Recent Spam Activities ∗∗∗ --------------------------------------------- Ransomware has been one of the most prevalent, prolific, and pervasive threats in the 2017 threat landscape, with financial losses among enterprises and end users now likely to have reached billions of dollars. Locky ransomware, in particular, has come a long way since first emerging in early 2016. Despite the number of times it apparently spent in hiatus, Locky remains a relevant and credible threat given its impact on end users and especially businesses. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/sDep2mrz5v0/ ∗∗∗ New Attacker Scanning for SSH Private Keys on Websites ∗∗∗ --------------------------------------------- Wordfence is seeing a significant spike in SSH private key scanning activity. We are releasing this advisory to ensure that our customers and the broader WordPress community are aware of this new activity and of the risk of making private SSH keys public, and to explain how to avoid this problem. --------------------------------------------- https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ ∗∗∗ Baselining Servers to Detect Outliers ∗∗∗ --------------------------------------------- This week I came across an interesting incident response scenario that was more likely a blind hunt. The starting point was the suspicion that a breach may have occurred in one or more of ~500 web servers of a big company on a given date range, even though there was no evidence of leaked data or any other IOC to guide the investigation. To overcome [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22940 ===================== = Vulnerabilities = ===================== ∗∗∗ KRACK Key Reinstall in FT Handshake - PoC ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017100142 ∗∗∗ Bugtraq: WebKitGTK+ Security Advisory WSA-2017-0008 ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541370 ∗∗∗ DFN-CERT-2017-1836: Lucene/Solr: Eine Schwachstelle ermöglicht die Ausführung beliebigen Prorgammcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1836/ ∗∗∗ DFN-CERT-2017-1837: Suricata: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1837/ ∗∗∗ DFN-CERT-2017-1846: GitLab: Mehrere Schwachstellen ermöglichen u.a. Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1846/ ∗∗∗ Cisco Security Advisories and Alerts ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory – Multiple “BlueBorne” vulnerabilities on Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171018-… ∗∗∗ Security Advisory - App Lock Bypass Vulnerability in Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171019-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2017
by Daily end-of-shift report 18 Oct '17

18 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-10-2017 18:00 − Mittwoch 18-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RSA-Sicherheitslücke: Infineon erzeugt Millionen unsicherer Krypto-Schlüssel ∗∗∗ --------------------------------------------- RSA-Schlüssel von Hardware-Kryptomodulen der Firma Infineon lassen sich knacken. Das betrifft unter anderem Debian-Entwickler, Anbieter qualifizierter Signatursysteme, TPM-Chips in Laptops und estnische Personalausweise. --------------------------------------------- https://www.golem.de/news/rsa-sicherheitsluecke-infineon-erzeugt-millionen-… ∗∗∗ Browser security beyond sandboxing ∗∗∗ --------------------------------------------- Security is now a strong differentiator in picking the right browser. We all use browsers for day-to-day activities like staying in touch with loved ones, but also for editing sensitive private and corporate documents, and even managing our financial assets. A single compromise through a web browser can have catastrophic results. It doesn’t help that... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/10/18/browser-security-beyond… ∗∗∗ uBlock Origin ad-blocker knocked for blocking hack attack squawking ∗∗∗ --------------------------------------------- Block all the things! No, wait, not the XSS security alerts Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/17/ublock_orig… ∗∗∗ Hancitor malspam uses DDE attack ∗∗∗ --------------------------------------------- Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16. Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsofts Dynamic Data Exchange (DDE) technique. --------------------------------------------- https://isc.sans.edu/diary/22936 ∗∗∗ Klage wegen Urheberrechtsverletzung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- In erfundenen Schreiben behaupten unbekannte Absender/innen, dass Empfänger/innen eine Urheberrechtsverletzung begangen haben und deshalb verklagt werden. Für weiterführende Informationen dazu sollen Adressat/innen eine ZIP-Datei herunterladen. Sie verbirgt Schadsoftware und darf nicht geöffnet werden. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/klage-wegen-urheberrechtsve… ===================== = Vulnerabilities = ===================== ∗∗∗ HPESBHF03789 rev.2 - Certain HPE Gen9 Systems with HP Trusted Platform Module v2.0 Option, Unauthorized Access to Data ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified in the "HP Trusted Platform Module 2.0 Option" kit. This optional kit is available for HPE Gen9 systems with firmware version 5.51. The vulnerability in TPM firmware 5.51 is that new mathematical methods exist such that RSA keys generated by the TPM 2.0 with firmware 5.51 are cryptographically weakened. This vulnerability could lead to local and remote unauthorized access to data. --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en… ∗∗∗ Progea Movicon SCADA/HMI ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-290-01 ∗∗∗ IC3 Issues Alert on IoT Devices ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/17/IC3-Issues-Alert-I… ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Standard Taglibs affects IBM Connections Portlets For WebSphere Portal (CVE-2015-0254) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006285 ∗∗∗ IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool (CVE-2017-3735) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025909 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+ ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009532 ∗∗∗ JSA10826 - 2017-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 17.1R1 release ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10826&actp=RSS ∗∗∗ Critical Patch Update - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ∗∗∗ Solaris Third Party Bulletin - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinoct2017-3958668.h… ∗∗∗ Oracle Linux Bulletin - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2017-4005… ∗∗∗ Oracle VM Server for x86 Bulletin - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2017-400589… ∗∗∗ Multiple vulnerabilities in Linksys E-series products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ Multiple vulnerabilities in Afian AB FileRun ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ SSA-523365 (Last Update 2017-10-18): Vulnerability in SIMATIC PCS 7 ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-523365… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2017
by Daily end-of-shift report 17 Oct '17

17 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 16-10-2017 18:00 − Dienstag 17-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Heres a Video of the Latest ATM Malware Sold on the Dark Web ∗∗∗ --------------------------------------------- A hacker or hacker group is selling a strain of ATM malware that can make ATMs spit out cash just by connecting to its USB port and running the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/heres-a-video-of-the-latest-… ∗∗∗ Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones ∗∗∗ --------------------------------------------- Lenovo customers are being told to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices. --------------------------------------------- http://threatpost.com/lenovo-quietly-patches-massive-bug-impacting-its-andr… ∗∗∗ Estonia releases update on Digital ID card vulnerability ∗∗∗ --------------------------------------------- The Estonia government issued an update on a vulnerability potentially affecting digital use of ID cards issued since October 2014. --------------------------------------------- https://www.scmagazineuk.com/estonia-releases-update-on-digital-id-card-vul… ∗∗∗ Microsoft responded quietly after detecting secret database hack in 2013 ∗∗∗ --------------------------------------------- (Reuters) - Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database. --------------------------------------------- https://www.reuters.com/article/us-microsoft-cyber-insight/microsoft-respon… ∗∗∗ KRACK: Hersteller-Updates und Stellungnahmen ∗∗∗ --------------------------------------------- Mittlerweile haben einige von der WPA2-Lücke KRACK betroffene Hersteller Patches veröffentlicht, die die Gefahr abwehren. Andere meldeten sich in Stellungnahmen zu Wort. --------------------------------------------- https://heise.de/-3863455 ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory 2017-05: Security Update for OTRS Business Solution™ ∗∗∗ --------------------------------------------- October 17, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. --------------------------------------------- https://www.otrs.com/security-advisory-2017-05-security-update-otrs-busines… ∗∗∗ BSRT-2017-006 Vulnerabilities in Workspaces Server components impact BlackBerry Workspaces ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ VU#307015: Infineon RSA library does not properly generate RSA key pairs ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/307015 ∗∗∗ VU#228519: Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/228519 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cross site scripting in Webtrekk Pixel ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/cross-site-scripting-in-webt… ∗∗∗ EMC NetWorker Buffer Overflow in nsrd Lets Remote Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039583 ∗∗∗ Java vulnerability CVE-2017-10053 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28418435 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2017
by Daily end-of-shift report 16 Oct '17

16 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-10-2017 18:00 − Montag 16-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TPM Chipsets Generate Insecure RSA Keys. Multiple Vendors Affected ∗∗∗ --------------------------------------------- Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecu… ∗∗∗ List of Firmware & Driver Updates for KRACK WPA2 Vulnerability ∗∗∗ --------------------------------------------- This article will contain an udpated list of firmware and driver updates that resolve the Krack WPA2 vulnerability. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-… ∗∗∗ Es steht KRACK auf dem Speiseplan! ∗∗∗ --------------------------------------------- [...] heute wurden Details zu den sogenannten "Key Reinstallation Attacks", kurz "KRACK", veröffentlicht (technisches Paper / Webseite). Kurz zusammengefasst stellen diese Schwachstellen die ersten [...] --------------------------------------------- http://www.cert.at/services/blog/20171016132413-2092.html ∗∗∗ Auto: Subaru-Funkschlüssel lässt sich einfach klonen ∗∗∗ --------------------------------------------- Autoschlüssel mit Funkverbindung sind ein beliebtes Ziel für Sicherheitsforscher - und oft eher Opfer als Gegner. Aktuell ist Subaru betroffen, zahlreiche Fahrzeuge des Herstellers sind für einen Angriff verwundbar. Das Unternehmen hat bislang nicht reagiert. --------------------------------------------- https://www.golem.de/news/auto-subaru-funkschluessel-laesst-sich-einfach-kl… ∗∗∗ Ukraine Police Warns of New NotPetya-Style Large Scale CyberAttack ∗∗∗ --------------------------------------------- Remember NotPetya? The Ransomware that shut down thousands of businesses, organisations and banks in Ukraine as well as different parts of Europe in June this year. Now, Ukrainian government authorities are once again warning its citizens to brace themselves for next wave of "large-scale" NotPetya-like cyber attack. According to a press release published Thursday by the Secret Service of [...] --------------------------------------------- https://thehackernews.com/2017/10/ukraine-notpetya-cyberattack.html ∗∗∗ How Power Grid Hacks Work, and When You Should Panic ∗∗∗ --------------------------------------------- After months of reports of energy grid breaches, time to distinguish the elite intrusions from just another spearphishing attack. --------------------------------------------- https://www.wired.com/story/hacking-a-power-grid-in-three-not-so-easy-steps ∗∗∗ Erneut Malware-Angriff auf Kreditkartendaten bei Hyatt ∗∗∗ --------------------------------------------- Wieder ist es Angreifern gelungen, Software in die IT-Systeme der Hotelkette Hyatt einzuschleusen, die Kreditkartendaten der Kunden abgriff. Das sei nun aber behoben, versichert das Unternehmen, das 2015 ähnlich angegriffen wurde. --------------------------------------------- https://heise.de/-3862121 ∗∗∗ Bank Austria überprüft keine Identität mit Probe-SMS ∗∗∗ --------------------------------------------- In einer gefälschten Bank Austria-Nachricht behaupten Kriminelle, dass Kund/innen ihre Identität mit einer Probe-SMS überprüfen lassen müssen. Dafür ist es notwendig, dass sie auf einer Website ihre Verfügernummer, ihr Passwort und ihre Telefonnummer bekannt geben. Es folgt ein Anruf der Täter/innen, mit dem sie die Bekanntgabe eines TAN-Codes fordern. Der TAN-Code ermöglicht es ihnen, das Geld ihrer Opfer zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/phishing/bank-austria-ueberprueft-keine-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- Adobe hat bekanntgegeben, dass es aktuell eine kritische Sicherheitslücke in Adobe Flash Player gibt, die auch bereits aktiv ausgenützt wird. CVE-Nummer: CVE-2017-11292 Entsprechend fehlerbereinigte Versionen sind verfügbar. Auswirkungen Durch Ausnützen dieser Lücke kann ein Angreifer laut Adobe beliebigen Code auf betroffenen Systemen [...] --------------------------------------------- https://www.cert.at/warnings/all/20171016.html ∗∗∗ Bugtraq: [RCESEC-2017-002][CVE-2017-14956] AlienVault USM v5.4.2 "/ossim/report/wizard_email.php" Cross-Site Request Forgery leading to Sensitive Information Disclosure ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541342 ∗∗∗ Vuln: Atlassian Bamboo CVE-2017-9514 Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101269 ∗∗∗ Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1814/: Jenkins: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1814/ ∗∗∗ Multiple vulnerabilities in OpenText Documentum Content Server ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541333 ∗∗∗ FortiWLC XSS injection via crafted HTTP POST request ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-106 ∗∗∗ FortiMail reflected XSS vulnerability under customized webmail login page ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-099 ∗∗∗ FortiWLC file management OS Command Injection vulnerability ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-119 ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171013-… ∗∗∗ IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q3 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009259 ∗∗∗ Multiple vulnerabilities in Micro Focus VisiBroker C++ ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ OpenSSL vulnerability CVE-2017-3735 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21462542 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2017
by Daily end-of-shift report 13 Oct '17

13 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-10-2017 18:00 − Freitag 13-10-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Android DoubleLocker Ransomware Activates Every Time You Hit Home Button ∗∗∗ --------------------------------------------- A new ransomware targeting Android devices has been spotted in the wild. Codenamed DoubleLocker, the ransomware abuses Androids Accessibility service and reactivates itself every time the user presses the phones Home button. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-doublelocker-ransomw… ∗∗∗ Fehler in WSUS-Update: Windows-Clients booten nicht mehr ∗∗∗ --------------------------------------------- Fehlerhafte Update-Pakete für Windows 10 und Windows Server 2016, die Microsoft am letzten Patchday veröffentlicht hat, legten in den vergangenen Tagen Rechner in Unternehmensnetzwerken lahm. Betroffen waren nur Umgebungen mit WSUS und SCCM. --------------------------------------------- https://www.heise.de/newsticker/meldung/Fehler-in-WSUS-Update-Windows-Clien… ∗∗∗ Bug auf T-Mobile-Website ermöglichte den Abruf vertraulicher Kundendaten ∗∗∗ --------------------------------------------- In der Website t-mobile.com klaffte ein Sicherheitsleck, das die Abfrage von Kundendatensätzen durch potenzielle Angreifer erlaubte. --------------------------------------------- https://heise.de/-3860676 ∗∗∗ Malvertising on Equifax, TransUnion tied to third party script ∗∗∗ --------------------------------------------- Equifaxs website is once again infected, this time with malvertising that redirects to a fake Flash player. Further investigation reveals TransUnion was also targeted. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/10/equifax-transunion-we… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Patch Update - October 2017 ∗∗∗ --------------------------------------------- Critical Patch Update - October 2017 - Pre-Release Announcement --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ∗∗∗ ProMinent MultiFLEX M10a Controller ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01 ∗∗∗ WECON Technology Co., Ltd. LeviStudio HMI Editor ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-02 ∗∗∗ Envitech Ltd. EnviDAS Ultimate ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-03 ∗∗∗ NXP Semiconductors MQX RTOS ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-04 ∗∗∗ Siemens BACnet Field Panels ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-05 ∗∗∗ DFN-CERT-2017-1812/">Xen: Mehrere Schwachstelle ermöglichen u.a. das Eskalieren von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1812/ ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2, v5.0.2 and v5.0.2.1. (CVE-2017-10115 and CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009234 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009543 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008951 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by Open Source XStream Vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004066 ∗∗∗ Java SE vulnerability CVE-2017-10115 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91024405 ∗∗∗ Java SE vulnerability CVE-2017-10108 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52342540 ∗∗∗ Vulnerability in windows antivirus products (IK-SA-2017-0001) ∗∗∗ --------------------------------------------- http://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-w… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2017
by Daily end-of-shift report 12 Oct '17

12 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-10-2017 18:00 − Donnerstag 12-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices ∗∗∗ --------------------------------------------- Posted by Gal Beniamini, Project ZeroIn this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone.After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly acquired access to gain control over the XNU kernel. To this end, we’ll begin by investigating the isolation mechanisms present on the iPhone. Next, we’ll explore the ways in which the host --------------------------------------------- http://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploitin… ∗∗∗ Kritische Sicherheitslücke in Thunderbird 52.4 geschlossen ∗∗∗ --------------------------------------------- Die Entwickler von Thunderbird haben sich in der aktuellen Version um mehrere Schwachstellen gekümmert. Wer die neue Version nicht installiert, könnte sich unter Umständen Schadcode einfangen. --------------------------------------------- https://heise.de/-3858847 ∗∗∗ Bankingtrojaner Retefe für macOS in deutscher Sprache ∗∗∗ --------------------------------------------- Eine neue Version vom Retefe-Schädling tarnt sich unter anderem als OS-X-Update und wird derzeit etwa über gefälschte DHL-Mails verteilt. Auch Windows-Nutzer sind gefährdet. --------------------------------------------- https://heise.de/-3859911 ∗∗∗ Hacker stahlen sensible Daten der australischen Rüstungsindustrie ∗∗∗ --------------------------------------------- Rüstungsminister Pyne sieht keine Gefahr für das Militär --------------------------------------------- http://derstandard.at/2000065885898 ∗∗∗ Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution ∗∗∗ --------------------------------------------- Researcher haben eine schwerwiegende Sicherheitslücke in Microsoft Office entdeckt. Beschreibung: Wenn ein Benutzer eine speziell präparierte Datei im Microsoft Excel-Format oder Microsoft Word-Format öffnet, kann in Folge ein Angreifer beliebigen Code, mit den Rechten des angemeldeten Benutzers, auf dem System ausführen. --------------------------------------------- http://www.cert.at/warnings/all/20171011.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3997 wordpress - security update ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in Wordpress, a web blogging tool.They would allow remote attackers to exploit path-traversal issues, perform SQLinjections and various cross-site scripting attacks. --------------------------------------------- https://www.debian.org/security/2017/dsa-3997 ∗∗∗ DSA-3998 nss - security update ∗∗∗ --------------------------------------------- Martin Thomson discovered that nss, the Mozilla Network Security Servicelibrary, is prone to a use-after-free vulnerability in the TLS 1.2implementation when handshake hashes are generated. A remote attackercan take advantage of this flaw to cause an application using the nsslibrary to crash, resulting in a denial of service, or potentially toexecute arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3998 ∗∗∗ JSA10809 - 2017-10 Security Bulletin: SRX Series: Cryptographic weakness in SRX300 Series TPM Firmware (CVE-2017-10606) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10809&actp=RSS ∗∗∗ JSA10810 - 2017-10 Security Bulletin: Junos: rpd core due to receipt of specially crafted BGP packet (CVE-2017-10607) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10810&actp=RSS ∗∗∗ JSA10817 - 2017-10 Security Bulletin: Junos OS: Denial of service vulnerabilities in telnetd (CVE-2017-10614, CVE-2017-10621) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10817&actp=RSS ∗∗∗ JSA10819 - 2017-10 Security Bulletin: Contrail: hard coded credentials (CVE-2017-10616) and XML External Entity (XXE) vulnerability (CVE-2017-10617) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10819&actp=RSS ∗∗∗ Java SE vulnerability CVE-2017-10078 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41815723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2017
by Daily end-of-shift report 11 Oct '17

11 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-10-2017 18:00 − Mittwoch 11-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Antivirus: Symantec will keine Code-Reviews durch Regierungen mehr ∗∗∗ --------------------------------------------- Aus Angst vor Spionage will die Sicherheitsfirma Symantec nach Angaben ihres CEO keine Regierungen mehr in den eigenen Code schauen lassen. Anlass war offenbar eine Anfrage der russischen Regierung. --------------------------------------------- https://www.golem.de/news/antivirus-symantec-will-keine-code-reviews-durch-… ∗∗∗ Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket ∗∗∗ --------------------------------------------- Global consulting firm Accenture is the latest giant organization leaving sensitive internal and customer data exposed in a publicly available Amazon Web Services S3 storage bucket. --------------------------------------------- http://threatpost.com/internal-accenture-data-customer-information-exposed-… ∗∗∗ October 2017 security update release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/10/10/october-2017-security-u… ∗∗∗ Credit Card Stealer Investigation Uncovers Malware Ring ∗∗∗ --------------------------------------------- During a recent investigation, I found a new piece of malicious code being used to steal credit card information from compromised Magento sites. What I didn’t know was how many domains would be uncovered as part of the malware campaign. Each of the malicious domain names was specifically chosen to appear as legitimate as possible to the website .. --------------------------------------------- https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-… ∗∗∗ iOS: So einfach lassen sich Passwörter von Apple-Nutzern stehlen ∗∗∗ --------------------------------------------- Softwareentwickler zeigt, wie leicht täuschend echt aussehende Passwort-Anfragen erstellt werden können --------------------------------------------- http://derstandard.at/2000065785641 ∗∗∗ BSI warnt nicht vor Kaspersky-Produkten ∗∗∗ --------------------------------------------- Russische Hacker sollen Virenscanner der russischen Firma genutzt haben --------------------------------------------- http://derstandard.at/2000065833977 ∗∗∗ October 2017 Office Update Release ∗∗∗ --------------------------------------------- The October 2017 Public Update releases for Office are now available! This month, there are 26 security updates and 27 non-security updates. All of the security and non-security updates are listed in .. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/10/10… ===================== = Vulnerabilities = ===================== ∗∗∗ LAVA Computer MFG Inc. Ether-Serial Link ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an authentication bypass by spoofing vulnerability in the LAVA Ether-Serial Links firmware. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-283-01 ∗∗∗ JanTek JTC-200 ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cross-site request forgery and improper authentication vulnerabilities in JanTeks JTC-200 TCP/IP converter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2017
by Daily end-of-shift report 10 Oct '17

10 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 09-10-2017 18:00 − Dienstag 10-10-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ATMii Malware Makes Windows 7 and Windows Vista ATMs Spit Out Cash ∗∗∗ --------------------------------------------- Security researchers have discovered a new ATM malware strain named ATMii that targets only ATMs running on Windows 7 and Windows Vista. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atmii-malware-makes-windows-… ∗∗∗ Changes in Password Best Practices ∗∗∗ --------------------------------------------- NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they dont help that much. Its better to allow people to use pass phrases.Stop it with password expiration. That was an old idea for an old way we used [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html ∗∗∗ The Absurdly Underestimated Dangers of CSV Injection ∗∗∗ --------------------------------------------- In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV. --------------------------------------------- http://georgemauer.net/2017/10/07/csv-injection.html ∗∗∗ Financial Times bekämpft Werbebetrug ∗∗∗ --------------------------------------------- Millionenverluste durch Domain-Spoofing: Werbenetzwerke verkauften Videowerbung für Leser der Financial Times, die aber tatsächlich auf anderen Websites ausgespielt wurde. --------------------------------------------- https://www.heise.de/newsticker/meldung/Financial-Times-bekaempft-Werbebetr… ∗∗∗ Google-Analyse: Microsoft patcht Windows 7/8 teilweise nicht ∗∗∗ --------------------------------------------- Forscher von Google haben nachgewiesen, dass Microsoft Sicherheitslücken in Windows 10 behoben hat, die gleichen Lücken in Windows 7 und 8 jedoch offen ließ. Patches kamen erst, als die Veröffentlichung durch Project Zero drohte. --------------------------------------------- https://heise.de/-3852695 ∗∗∗ Über 37.000 Chrome-Nutzer installierten gefälschte Adblock-Plus-Extension ∗∗∗ --------------------------------------------- Die Browser-Erweiterung Adblock Plus soll vor Werbung und Schadcode schützen. Eine kürzlich aus dem Chrome Web Store entfernte Extension gleichen Namens führte das genaue Gegenteil im Schilde. Im Zweifel ist eine Neuinstallation ratsam. --------------------------------------------- https://heise.de/-3854625 ∗∗∗ Sicherheits-App der Erste Bank ist Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Erste Bank und Sparkasse-Nachricht. Darin behaupten sie, dass das Konto von Kund/innen eingeschränkt worden sei und sie zur weiteren Benutzung eine Sicherheits-App installieren müssen. Die angebliche Sicherheits-App ist Schadsoftware. Wer sie isntalliert, ermöglicht Kriminellen Zugriff auf das eigene Konto. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/sicherheits-app-der-erste-b… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Security Patch Day – October 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/10/10/sap-security-patch-day-october-2017/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009289 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and Client Management Services (CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009293 ∗∗∗ IBM Security Bulletin: WebSphere Application Server Edge Caching Proxy may be vulnerable to HTTP response splitting (CVE-2017-1503) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006815 ∗∗∗ IBM Security Bulletin: Open Source Apache Cordova Android Vulnerabilities affect IBM Worklight and IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000350 ∗∗∗ IBM Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008829 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2017
by Daily end-of-shift report 09 Oct '17

09 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-10-2017 18:00 − Montag 09-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitssoftware: Schlangenöl oder notwendiges Übel? ∗∗∗ --------------------------------------------- Als Schlangenöl wurden in Zeiten des Wilden Westens vorwiegend medizinische Produkte und Hilfsmittel bezeichnet, deren Wirkung wenig bis keinen Ursprung in den darin verwendeten Zutaten hatte oder schlicht nicht existent war. Der Begriff wird mittlerweile auch im Software-Kontext für Produkte verwendet, die mehr versprechen, als sie halten können. Besonders .. --------------------------------------------- https://www.dfn-cert.de/aktuell/sicherheitssoftware-schlangenoel.html ∗∗∗ Foren-Tool Disqus gehackt: 17,5 Millionen User betroffen ∗∗∗ --------------------------------------------- Der Vorfall, bei dem Usernamen und Passwörter abgegriffen wurden, ereignete sich bereits vor fünf Jahren. Disqus will bis jetzt nichts davon gewusst haben. --------------------------------------------- https://futurezone.at/digital-life/foren-tool-disqus-gehackt-17-5-millionen… ∗∗∗ Passwortmanager im Vergleich: Das letzte Passwort, das du dir jemals merken musst ∗∗∗ --------------------------------------------- Menschen scheinen nicht dafür gemacht, sich sehr viele komplizierte Passwörter zu merken. Abhilfe schaffen Passwortmanager. Wir haben die Lösungen von Keepass, Lastpass, 1Password und Dashlane verglichen - und bei allen Stärken gefunden. --------------------------------------------- https://www.golem.de/news/passwortmanager-im-vergleich-das-letzte-passwort-… ∗∗∗ After selling his site for millions, founder hacked it for a second payday ∗∗∗ --------------------------------------------- Rigzone founder sentenced for data duplication scheme "Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kents plan to build the membership of his oil and gas industry .. --------------------------------------------- www.theregister.co.uk/2017/10/07/after_selling_site_for_millions_founder_ha… ∗∗∗ Dnsmasq: A Reality Check and Remediation Practices ∗∗∗ --------------------------------------------- Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/dnsmasq-reality-… ∗∗∗ John Kellys Hacked Phone Could Be a Major National Security Issue ∗∗∗ --------------------------------------------- When the former head of the Department of Homeland Security and current White House Chief of Staffs personal smartphone gets hacked, nothing good can happen. --------------------------------------------- https://www.wired.com/story/john-kelly-hacked-phone ∗∗∗ TLS 1.3: Security-Devices verhindern die Einführung ∗∗∗ --------------------------------------------- Alle Security-Experten sind sich einig, dass der Standard TLS 1.3 ein deutlicher Schritt zu mehr Sicherheit im Internet wäre. Doch ausgerechnet Security-Devices, die Verschlüsselung aufbrechen, verhindern die Einführung auf nicht absehbare Zeit. --------------------------------------------- https://heise.de/-3852819 ∗∗∗ Testing Security Keys ∗∗∗ --------------------------------------------- http://www.imperialviolet.org/2017/10/08/securitykeytest.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3993 tor - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3993 ∗∗∗ DSA-3994 nautilus - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3994 ∗∗∗ Symantec Endpoint Encryption / Symantec Encryption Desktop DoS ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… ∗∗∗ HPESBHF03777 rev.2 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2017
by Daily end-of-shift report 06 Oct '17

06 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2017 18:00 − Freitag 06-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Hijack Ongoing Email Conversations to Insert Malicious Documents ∗∗∗ --------------------------------------------- A group of hackers is using a sophisticated technique of hijacking ongoing email conversations to insert malicious documents that appear to be coming from a legitimate source and infect other targets participating in the same conversational thread. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-ongoing-email… ∗∗∗ IT-Sicherheit: Für das FBI Botnetze ausschalten ∗∗∗ --------------------------------------------- Der deutsche IT-Sicherheitsforscher Tillmann Werner hat der US-Behörde FBI geholfen, einen gefährlichen Hacker zu jagen. --------------------------------------------- https://www.golem.de/news/it-sicherheit-fuer-das-fbi-botnetze-ausschalten-1… ∗∗∗ Geheimdienste: Wenn Hacker Hacker hacken, scheitert die Attribution ∗∗∗ --------------------------------------------- Einen Hack bis zu seinem Ursprung zurückzuverfolgen, gilt im IT-Sicherheitsbereich als schwieriges Geschäft. Neue Forschungen von Kaspersky zeigen, dass die Situation noch verfahrener ist, als bislang angenommen. --------------------------------------------- https://www.golem.de/news/geheimdienste-wenn-hacker-hacker-hacken-scheitert… ∗∗∗ Whats in a cable? The dangers of unauthorized cables, (Fri, Oct 6th) ∗∗∗ --------------------------------------------- As data speeds have increased over the last few years, and interface ports have become more and more multi-functioning and integrated, cables have started to pose a very particular and real danger. So far, they often have been ignored and considered "dumb wires". But far from that, many cables these days hold logic chips of their own and in some cases even upgradable (replaceable) firmware. --------------------------------------------- https://isc.sans.edu/diary/rss/22904 ∗∗∗ Dumb bug of the week: Apples macOS reveals your encrypted drives password in the hint box ∗∗∗ --------------------------------------------- High Sierra update derided by devs as half-baked | Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/apple_patch… ∗∗∗ Wenn Facebook-Freund/innen nach Geld fragen ∗∗∗ --------------------------------------------- Nachdem Facebook-Konten erfolgreich gehackt wurden, versuchen Betrüger daraus Kapital zu schlagen. Aus diesem Grund schreiben sie Kontakte an und erfinden Geschichten, um an schnelles Geld zu kommen. Um kein Opfer dieser Masche zu werden, sollte den Inhalten nicht leichtfertig geglaubt werden. --------------------------------------------- https://www.watchlist-internet.at/facebook-betrug/wenn-facebook-freundinnen… ∗∗∗ Cyber-Sicherheit am Arbeitsplatz: Persönliche Daten im Internet schützen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/ECSM_BSI_06… ===================== = Vulnerabilities = ===================== ∗∗∗ GE CIMPLICITY ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in GEs CIMPLICITY. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01 ∗∗∗ ZDI-17-838: (0Day) Microsoft Windows WAV File Uninitialized Pointer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to cause a denial-of-service condition on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-838/ ∗∗∗ DFN-CERT-2017-1757: Ruby: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1757/ ∗∗∗ HPESBHF03786 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009253 ∗∗∗ IBM Security Bulletin: Multiple DB2 vulnerabilities affect IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1105, CVE-2017-1297) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009194 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Open Source zlib affect IBM Netezza SQL Extensions ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001212 ∗∗∗ Linux kernel vulnerability CVE-2017-14106 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K62178133 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2017
by Daily end-of-shift report 05 Oct '17

05 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2017 18:00 − Donnerstag 05-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mozilla to End All Firefox Support for XP and Vista in June 2018 ∗∗∗ --------------------------------------------- Mozilla announced today plans to discontinue any support for the Firefox browser on Windows XP and Vista in June 2018. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/software/mozilla-to-end-all-firefox-s… ∗∗∗ Avast: Ccleaner-Malware hat drei Stufen und verschont 64-Bit-PCs ∗∗∗ --------------------------------------------- Die Malware in einer Ccleaner-Version hatte mindestens drei Stufen - von der ersten waren 1,65 Millionen Personen betroffen. Wer ein 64-Bit-Windows nutzt, soll allerdings nichts zu befürchten haben. --------------------------------------------- https://www.golem.de/news/avast-ccleaner-malware-hat-drei-stufen-und-versch… ∗∗∗ Security Awareness Month: How to Help Friends and Family, (Wed, Oct 4th) ∗∗∗ --------------------------------------------- For the last few years, October has been "Security Awareness Month", with various organizations using it to promote security awareness. We have done a few "themed" diaries around security awareness in past years, but for the most part, there isn't that much new to say for our core audience. Security awareness is however still a big issue for the rest of humanity, and if you are looking for advice to help friends and family become more security-aware, then the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22896 ∗∗∗ SYSCON Backdoor Uses FTP as a C&C Channel ∗∗∗ --------------------------------------------- Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Mw_aCJ0nNos/ ∗∗∗ Common Sense in EDI Security ∗∗∗ --------------------------------------------- [...] Looking at these examples, we can see that security is a process, a chain of events; for security measures to succeed, every link in the chain of events must be as secure as possible. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/common-… ∗∗∗ Outsmarting grid security threats ∗∗∗ --------------------------------------------- Almost two-thirds (63 percent) of utility executives believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electric distribution grids in the next five years. The Accenture survey of more than 100 utilities executives from over 20 countries revealed interruptions to the power supply from cyberattacks is the most serious concern, cited by 57 percent of respondents. Just as worrying is the physical threat to the distribution grid. --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/grid-security-threats/ ∗∗∗ PoC for several Magento vulnerabilities released, update now! ∗∗∗ --------------------------------------------- DefenseCode has published proof of concept code for two CSRF and stored XSS vulnerabilities affecting a number of versions of the popular e-commerce platform Magento. Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop. About the vulnerabilities Security researcher Bosko Stankovic discovered the security flaws during a security audit of Magento [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/magento-vulnerability-poc-code/ ===================== = Vulnerabilities = ===================== ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ Apple security update for watchOS ∗∗∗ --------------------------------------------- watchOS 4.0.1 includes the security content of watchOS 4 and is available for Apple Watch Series 3 (GPS + Cellular). --------------------------------------------- https://support.apple.com/en-us/HT208163 ∗∗∗ DFN-CERT-2017-1736: Digium Asterisk, Digium Certified Asterisk: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1736/ ∗∗∗ DFN-CERT-2017-1750: cURL: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1750/ ∗∗∗ DFN-CERT-2017-1755: Sophos UTM Manager: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1755/ ∗∗∗ Cisco Security Advisories and Alerts ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-971654 (Last Update 2017-10-05): Authentication Bypass in 7KT PAC1200 Data Manager from the SENTRON Portfolio ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-971654… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2017
by Daily end-of-shift report 04 Oct '17

04 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2017 18:00 − Mittwoch 04-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Announces New Tool to Investigate Memory Corruption Bugs ∗∗∗ --------------------------------------------- Microsoft announced yesterday a new tool that automates the process of detecting the root cause of memory corruption issues. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-new-too… ∗∗∗ New Rowhammer Attack Bypass Previously Proposed Countermeasures ∗∗∗ --------------------------------------------- Security researchers have come up with a variation of the Rowhammer attack that bypasses all previously proposed countermeasures. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rowhammer-attack-bypass-… ∗∗∗ Website Hosting: Security Awareness Can Reduce Costs ∗∗∗ --------------------------------------------- Website hosting security has matured in recent years. Naturally, the types of security issues have changed because of it. For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today. However, malware attacks and other website security-related issues at the account level are still very real problems – just ask anyone who has had their website defaced, redirected, or [...] --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/3W5Ls3JO36o/website-hosting-s… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3991 qemu - security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities were found in qemu, a fast processor emulator: --------------------------------------------- https://www.debian.org/security/2017/dsa-3991 ∗∗∗ Apple Releases Security Update for iOS ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Apple has released iOS 11.0.2 to address vulnerabilities in previous versions of iOS. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apple-Releases-Sec… ∗∗∗ Apache Releases Security Updates for Apache Tomcat ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 The Apache Software Foundation has released Apache Tomcat 9.0.1 and 8.5.23 to address a vulnerability in previous versions of the software. A remote attacker could exploit this vulnerability to take control of an affected server. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apache-Releases-Se… ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Advisories ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Linux kernel vulnerability CVE-2017-14489 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71796229 ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03782 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03776 rev.1 - HPE Intelligent Management Center (iMC) Service Operation Management (SOM), Remote Arbitrary File Download ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03778 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03777 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03781 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2017
by Daily end-of-shift report 03 Oct '17

03 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2017 18:00 − Dienstag 03-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Three WordPress Plugin Zero-Days Exploited in the Wild ∗∗∗ --------------------------------------------- Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-wordpress-plugin-zero-… ∗∗∗ Security Bugs in Dnsmasq Affect Computers, Smartphones, Routers, IoT Devices ∗∗∗ --------------------------------------------- Security researchers at Google have found seven security bugs in the Dnsmasq application that put an inestimable number of desktops, servers, smartphones, routers, and other IoT devices at risk of hacking. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-bugs-in-dnsmasq-aff… ∗∗∗ Cyber Security Challenge: Das Team Austria steht fest ∗∗∗ --------------------------------------------- Nach dem Finale ist vor dem Finale: Die Sieger der Austria Cyber Security Challenge trainieren jetzt für den Sieg im europäischen Hacker-Wettbewerb. --------------------------------------------- https://futurezone.at/digital-life/cyber-security-challenge-das-team-austri… ∗∗∗ Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices ∗∗∗ --------------------------------------------- Netgear patches over a dozen vulnerabilities impacting its routers, switches and NAS devices. --------------------------------------------- http://threatpost.com/netgear-fixes-50-vulnerabilities-in-routers-switches-… ∗∗∗ E-Mail Tracking ∗∗∗ --------------------------------------------- Interesting survey paper: on the privacy implications of e-mail tracking: Abstract: We show that the simple act of viewing emails contains privacy pitfalls for the unwary. We assembled a corpus of commercial mailing-list emails, and find a network of hundreds of third parties that track email recipients via methods such as embedded pixels. About 30% of emails leak the recipients email address to one or more of these third parties when they are viewed. In the majority of cases, these leaks are [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/e-mail_tracking.html ∗∗∗ Outdated vendor systems leaving finance industry at risk ∗∗∗ --------------------------------------------- BitSight data scientists found that in most cases, companies in the finance industry supply chain are not meeting the same security standards that finance companies hold for their own organizations. The spread of BitSight Security Ratings amongst Finance Firms and monitored Legal, Technology, and Business Services organizations as of September 1st, 2017. "While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/03/outdated-vendor-systems/ ∗∗∗ Threat Hunting Part 2: Hunting on ICS Networks ∗∗∗ --------------------------------------------- In this edition of the Dragos Threat Hunting on ICS network series, we will compare threat hunting on industrial networks with concepts from the wider threat hunting community. We will also look at how the unique characteristics of industrial networks can be used to an advantage as network defense professionals [...] --------------------------------------------- https://dragos.com/blog/20170927-ThreatHuntingSeriesPart2.html ===================== = Vulnerabilities = ===================== ∗∗∗ Dnsmasq Contains Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Dnsmasq versions 2.77 and prior contain multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Dnsmasq-Contains-M… ∗∗∗ Android Security Bulletin—October 2017 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2017-10-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2017
by Daily end-of-shift report 02 Oct '17

02 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-09-2017 18:00 − Montag 02-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Mobile Forensics Process: Steps & Types ∗∗∗ --------------------------------------------- Introduction: Importance of Mobile Forensics The term "mobile devices" encompasses a wide array of gadgets ranging from mobile phones, smartphones, tablets, and GPS units to wearables and PDAs. What they all have in common is the fact that they can contain a lot of user information. Mobile devices are right in the middle of three[...] --------------------------------------------- http://resources.infosecinstitute.com/mobile-forensics-process-steps-types/ ∗∗∗ Investigating Security Incidents with Passive DNS, (Mon, Oct 2nd) ∗∗∗ --------------------------------------------- Sometimes when you need to investigate a security incident or to check for suspicious activity, you become frustrated because the online resource that youre trying to reach has already been cleaned. We cannot blame system administrators and webmasters who are just doing their job. If some servers or websites remains compromised for weeks, others are very quickly restored/patched/cleaned to get rid of the malicious content. Its the same for domain names. Domains registered only for malicious [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22886 ∗∗∗ DNSSEC Key Signing Key Rollover Postponed ∗∗∗ --------------------------------------------- Original release date: September 29, 2017 The Internet Corporation for Assigned Names and Numbers (ICANN) has announced that the change to the Root Zone Key Signing Key (KSK) scheduled for October 11, 2017, has been postponed. A new date for the Key Roll has not yet been determined.DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/29/DNSSEC-Key-Signing… ∗∗∗ European Cyber Security Month: United against Cyber Security Threats ∗∗∗ --------------------------------------------- October 2017 is European Cyber Security Month and this year marks the 5th year anniversary of the European Cyber Security Month campaign. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/european-cyber-security-month-u… ∗∗∗ Good Analysis = Understanding(tools + logs + normal) ∗∗∗ --------------------------------------------- We had a reader send an email in a couple of weeks ago asking about understanding the flags field when looking at data in a report. He didnt understand what the "flags" were referring to or what the actual flags mean. "They don’t appear related to TCP header flags like I’ve normally seen...S is the most common but I occasionally see RSA, RUS and a few others." --------------------------------------------- https://isc.sans.edu/forums/diary/Good+Analysis+Understandingtools+logs+nor… ===================== = Vulnerabilities = ===================== ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ XSA-245 ARM: Some memory not scrubbed at boot ∗∗∗ --------------------------------------------- Impact: Sensitive information from one domain before a reboot might be visible to another domain after a reboot. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-245.html ∗∗∗ Vuln: SolarWinds Network Performance Monitor CVE-2017-9538 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101066 ∗∗∗ DFN-CERT-2017-1723: GitLab: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1723/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-535640 (Last Update 2017-10-02): Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640… ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2017
by Daily end-of-shift report 29 Sep '17

29 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-09-2017 18:00 − Freitag 29-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Macs Not Receiving EFI Firmware Security Updates as Expected ∗∗∗ --------------------------------------------- Researchers at Duo Security are expected today at Ekoparty to reveal data and a paper that shows Mac users are not receiving EFI firmware updates at expected. --------------------------------------------- http://threatpost.com/macs-not-receiving-efi-firmware-security-updates-as-e… ∗∗∗ ICANN Postpones Scheduled DNS Crypto Key Rollover ∗∗∗ --------------------------------------------- ICANN, the overseer of the Internet’s namespace, announced this week that it was postponing a scheduled change to the cryptographic key that protects the Domain Name System. --------------------------------------------- http://threatpost.com/icann-postpones-scheduled-dns-crypto-key-rollover/128… ∗∗∗ Fake Plugins, Fake Security ∗∗∗ --------------------------------------------- Update: The plugin name is fake and has nothing to do with well-known WP-SpamShield plugin in the official WordPress plugin repository. WordPress users are becoming increasingly more aware of security threats and as a result they are taking more actions to secure their websites (e.g. by installing security plugins). While this is a good thing, there are always black hats trying to take an advantage of new opportunities to compromise websites. --------------------------------------------- https://blog.sucuri.net/2017/09/fake-plugins-fake-security.html ∗∗∗ WiNX: The Ultra-Portable Wireless Attacking Platform ∗∗∗ --------------------------------------------- When you are performing penetration tests for your customers, you need to build your personal arsenal. Tools, pieces of hardware and software are collected here and there depending on your engagements to increase your toolbox. To perform Wireless intrusion tests, I’m a big fan of the WiFi Pineapple. I’ve one for [...] --------------------------------------------- https://blog.rootshell.be/2017/09/28/winx-ultra-portable-wireless-attacking… ∗∗∗ Anonymisierung: Sicherheitsupdates für Tor Browser und Tails ∗∗∗ --------------------------------------------- Der Tor Browser setzt nun auf eine abgesicherte Version von Firefox ESR. In Tails haben die Entwickler diverse Sicherheitslücken, darunter BlueBorne, geschlossen und raten zu einer zügigen Aktualisierung. --------------------------------------------- https://heise.de/-3847033 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3985 chromium-browser - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the chromium web browser. --------------------------------------------- https://www.debian.org/security/2017/dsa-3985 ∗∗∗ DSA-3985 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3985 ∗∗∗ DFN-CERT-2017-1713: OpenVPN: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1713/ ∗∗∗ IBM Security Bulletin: IBM WebSphere Commerce has a vulnerability in Marketing ESpots that could cause a denial of service (CVE-2017-1569) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008547 ∗∗∗ IBM Security Bulletin: eDiscovery Manager is affected by an Open Source Apache POI Vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005630 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, Business Process Manager, IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000343 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM Cloud Orchestrator (CVE-2017-1159) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000328 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-8919) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000322 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2017
by Daily end-of-shift report 28 Sep '17

28 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-09-2017 18:00 − Donnerstag 28-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat Landscape for Industrial Automation Systems in H1 2017 ∗∗∗ --------------------------------------------- Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017. --------------------------------------------- http://securelist.com/threat-landscape-for-industrial-automation-systems-in… ∗∗∗ Incident Response Database ∗∗∗ --------------------------------------------- Incidents often require us to rapidly identify which incident response team is responsible for a particular network, corporation or country. FIRST is developing an automated method to access information on Computer Security Incident Response Teams (CSIRT) and other types of incident handling organizations. --------------------------------------------- https://www.first.org/global/irt-database ∗∗∗ Illusion Gap – Antivirus Bypass Part 1 ∗∗∗ --------------------------------------------- Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; [...] --------------------------------------------- https://www.cyberark.com/threat-research-blog/illusion-gap-antivirus-bypass… ===================== = Vulnerabilities = ===================== ∗∗∗ DFN-CERT-2017-1706: Cisco IOS, Cisco IOS XE: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Cisco IOS und IOS XE, ermöglichen einem entfernten, nicht authentisierten Angreifer das Umgehen von Sicherheitsvorkehrungen, was in einem Fall dazu führen kann, dass der Angreifer die vollständige Kontrolle über ein System erlangen kann, das Ausspähen von Informationen sowie die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe. Ein entfernter, einfach authentisierter Angreifer kann [...] --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1706/ ∗∗∗ ZDI-17-829: Trend Micro OfficeScan tmwfp Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-829/ ∗∗∗ ZDI-17-828: Trend Micro OfficeScan tmwfp Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-828/ ∗∗∗ IBM Security Bulletin: Smart Cloud Entry is affected by ISC BIND vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025663 ∗∗∗ IBM Security Bulletin: Open Source GNU glibc Vulnerabilities which is used by IBM OS Images for RedHat Linux in IBM PureApplication Systems (CVE-2017-1000366) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008527 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010641 ∗∗∗ IBM Security Bulletin: Open Source Samba Samba Vulnerabilities which is used by IBM OS Images for RedHat Linux in IBM PureApplication Systems (CVE-2017-7494) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007631 ∗∗∗ IBM Security Bulletin: Cross-site Scripting vulnerabilities affect Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008785 ∗∗∗ IBM Security Bulletin: IBM Insights Foundation for Energy has vulnerabilites to SQL injection and cross-site scripting ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009039 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008391 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-3511 in IBM Java SDK affects IBM Process Designer used in IBM Business Process Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008324 ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by an OpenSSL vulnerability (CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008918 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Planning Analytics Local ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008584 ∗∗∗ SSA-856721 (Last Update 2017-09-28): Vulnerability in Ruggedcom Discovery Protocol (RCDP) of Industrial Communication Devices ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856721… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2017
by Daily end-of-shift report 27 Sep '17

27 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-09-2017 18:00 − Mittwoch 27-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Another Banking Trojan Adds Support for NSAs EternalBlue Exploit ∗∗∗ --------------------------------------------- A third banking trojan has added support for EternalBlue, an exploit supposedly created by the NSA, leaked online by the Shadow Brokers, and the main driving force behind the WannaCry and NotPetya ransomware outbreaks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/another-banking-trojan-adds-… ∗∗∗ Broadcom Wireless: Google veröffentlicht Exploit für iPhone 7 ∗∗∗ --------------------------------------------- Google hat einen Exploit für erneute Probleme in Broadcom-WLAN-Chips veröffentlicht. Betroffen von dem Fehler sind das iPhone 7, aber auch Android-Geräte. Für Apple ist das eine gute Botschaft. --------------------------------------------- https://www.golem.de/news/broadcom-wireless-google-veroeffentlicht-exploit-… ∗∗∗ Nach Hack: Viele Deloitte-Systeme im Internet auffindbar ∗∗∗ --------------------------------------------- Angebliche Zugangsdaten für Deloitte-Systeme sind aufgetaucht, wo sie nicht sein sollten: bei Github und auf Google Plus. Außerdem haben Sicherheitsforscher zahlreiche Systeme des Unternehmens im Netz gefunden - mit offenen Ports für SMB und RDP. --------------------------------------------- https://www.golem.de/news/nach-hack-viele-deloitte-systeme-im-internet-auff… ∗∗∗ Security baseline for Windows 10 "Fall Creators Update" (v1709) – DRAFT ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for Windows 10 "Fall Creators Update," also known as version 1709, "Redstone 3," or RS3. Please evaluate this proposed baseline and send us your feedback via blog comments below. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-f… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3984 git - security update ∗∗∗ --------------------------------------------- joernchen discovered that the git-cvsserver subcommand of Git, adistributed version control system, suffers from a shell commandinjection vulnerability due to unsafe use of the Perl backtickoperator. The git-cvsserver subcommand is reachable from thegit-shell subcommand even if CVS support has not been configured(however, the git-cvs package needs to be installed). --------------------------------------------- https://www.debian.org/security/2017/dsa-3984 ∗∗∗ Authentication Bypass Vulnerability in the Management Interface of Citrix NetScaler SD-WAN/CloudBridge 4000, 4100, 5000 and 5100 WAN Optimization Edition Appliances ∗∗∗ --------------------------------------------- A vulnerability has been identified in the management interface of the Citrix NetScaler SD-WAN/CloudBridge 4000, 4100, 5000 and 5100 WAN Optimization Edition appliances. This vulnerability, if exploited, could allow an attacker with access to the management interface of the appliance’s NetScaler ADC instance to gain administrative access to the instance. --------------------------------------------- https://support.citrix.com/article/CTX228091 ∗∗∗ SAP Enterprise Portal and Clients Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017090219 ∗∗∗ ZDI-17-812: (0Day) EMC Data Protection Advisor ScheduledReportResource Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-812/ ∗∗∗ iOS 11.0.1 Security Update ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208143 ∗∗∗ IBM Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008902 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cloud Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025664 ∗∗∗ HPESBMU03753 rev.1 - HPE System Management Homepage, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2017
by Daily end-of-shift report 26 Sep '17

26 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 25-09-2017 18:00 − Dienstag 26-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke in Google für Datendiebstahl genutzt ∗∗∗ --------------------------------------------- Eine spezielle Technik um Webseiten auf mobilen Geräten schneller zu laden, wird von Cyberkriminellen missbraucht, um investigative Journalisten auszuspionieren. --------------------------------------------- https://futurezone.at/digital-life/sicherheitsluecke-in-google-fuer-datendi… ∗∗∗ MacOS High Sierra: MacOS-Keychain kann per App ausgelesen werden ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Patrick Wardle hat demonstriert, dass Apples Keychain unter MacOS mit einer App komplett ausgelesen werden kann. Diese muss aber zunächst an Apples Gatekeeper vorbei. --------------------------------------------- https://www.golem.de/news/macos-high-sierra-macos-keychain-kann-per-app-aus… ∗∗∗ "Preparing for Cyber Security Incidents" ∗∗∗ --------------------------------------------- Talk with any incident responder and youll learn that there are a few less glamorous parts of the job. Writing the final report and preparation in advance to an incident are probably top contenders. In this article I want to focus on preparation and explain to [...] --------------------------------------------- http://ics.sans.org/blog/2017/09/26/preparing-for-cyber-security-incidents ∗∗∗ An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks ∗∗∗ --------------------------------------------- Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new? Not really. We’ve been seeing physical attacks against ATMs since 2009. By physical, we mean opening the target machine’s casing, accessing the motherboard and connecting USB drives or CD-ROMs in order to infect the operating system. Once infected, the ATM is at the attackers’ mercy, which normally means that they are able to empty the money cassettes and walk away with [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/GLIB-nW2ilE/ ∗∗∗ Achtung vor neuer Betrugsmasche: Betrüger ergaunern telefonisch Bitcoin Ladebons ∗∗∗ --------------------------------------------- Das Bundeskriminalamt (BK) warnt vor einem bekannten, aber neu adaptierten Betrugsphänomen, bei dem Inhaber und Angestellte von Trafiken, Tankstellen und Postpartnerstellen via Telefon von Betrügern aufgefordert werden, die Codes der Bitcoin Ladebons bekannt zu geben. Die Polizei informiert. --------------------------------------------- http://www.bmi.gv.at/cms/bk/_news/start.aspx?id=47476E2B724F38597A506B3D&pa… ∗∗∗ Source: Deloitte Breach Affected All Company Email, Admin Accounts ∗∗∗ --------------------------------------------- Deloitte, one of the worlds "big four" accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted "very few" clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloittes entire internal email system. --------------------------------------------- https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-com… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Security Updates ∗∗∗ --------------------------------------------- macOS Server 5.4: https://support.apple.com/kb/HT208102 iTunes 12.7 for Windows: https://support.apple.com/kb/HT208141 iTunes 12.7: https://support.apple.com/kb/HT208140 macOS High Sierra 10.13: https://support.apple.com/kb/HT208144 iCloud for Windows 7.0: https://support.apple.com/kb/HT208142 --------------------------------------------- ∗∗∗ Solarwinds LEM Insecure Update Process ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017090206 ∗∗∗ FLIR Systems FLIR Thermal Camera - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ IBM Security Bulletin: Vulnerability in system log on IBM DataPower Gateways WebGUI console (CVE-2017-1591) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008815 ∗∗∗ IBM Security Bulletin: Path Traversal Vulnerability in IBM WebSphere Portal (CVE-2017-1577) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008586 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007912 ∗∗∗ IBM Security Bulletin: Vulnerability in Node.js affects IBM DataPower Gateways (CVE-2017-11499) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008629 ∗∗∗ IBM Security Bulletin: RMI Dispatcher port used by Security Identity Adapters is not authenticated by default ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007375 ∗∗∗ IBM Security Bulletin: Security Identity Adapter attribute input is not protected against command injection ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007377 ∗∗∗ IBM Security Bulletin: Vulnerability in XDR affects IBM DataPower Gateways (CVE-2017-8804) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008628 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2017
by Daily end-of-shift report 25 Sep '17

25 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-09-2017 18:00 − Montag 25-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Securing The Supply Chain Is As Important As Securing The Front Door ∗∗∗ --------------------------------------------- Today most organisations rely on a number of suppliers for providing services to their customers. Supply chain plays a key role within an organisation allowing them to innovate, create new products or services, increase their profitability and compete with other organisations. To be able to do so, organisations need to allow suppliers to connect to their systems/applications and also allow exchange of sensitive information with their suppliers and partners. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/securing-the-supply-ch… ∗∗∗ 7% of All Amazon S3 Servers Are Exposed, Explaining Recent Surge of Data Leaks ∗∗∗ --------------------------------------------- During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/7-percent-of-all-amazon-s3-s… ∗∗∗ Krypto-Trojaner RedBoot infiziert MBR und zerstört Dateien ∗∗∗ --------------------------------------------- Eine neue Ransomware treibt ihr Unwesen im Master Boot Record von Windows-PCs. Darüber hinaus verschlüsselt sie auch Dateien – ohne jedoch einen Weg zur Entschüsselung zu bieten. --------------------------------------------- https://heise.de/-3840923 ∗∗∗ CCleaner-Malware: Avast veröffentlicht weitere Analyse-Ergebnisse ∗∗∗ --------------------------------------------- In einem neuen Blogeintrag nennt Avast weitere Details zum Schadcode in CCleaner 5.33.6162. Dazu zählen konkrete Angriffsziele und Infektionszahlen sowie weitere Details zu möglichen Herkunftsländern der Täter. --------------------------------------------- https://heise.de/-3840809 ∗∗∗ Gefälschte Apple-Nachricht: Subscription Confirmation ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Apple-Nachricht. Darin behaupten sie, dass Empfänger/innen eine teure Anwendung gekauft haben. Sollte das nicht der Fall sein, können sie die Bestellung auf einer Website stornieren. Apple-Kund/innen, die den angeblichen Einkauf rückgängig machen wollen, übermitteln ihre Kreditkartendaten an Betrüger/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-apple-nachricht-subs… ∗∗∗ A Historical Perspective on IT & OT Convergence ∗∗∗ --------------------------------------------- Hello IIoT World readers, and thanks for engaging with my column. Over the course of the next few months, I plan to write on a number of topics that are, individually, highly relevant to the IIoT Security realm. Perhaps more importantly, many of these topics can be viewed as being all inter-related in a way that describes some of the things Continue ReadingThe post A Historical Perspective on IT & OT Convergence appeared first on Create a culture of innovation with IIoT World!. --------------------------------------------- http://iiot-world.com/cybersecurity/a-historical-perspective-on-it-ot-conve… ∗∗∗ The Ethics of Running a Data Breach Search Service ∗∗∗ --------------------------------------------- No matter how much anyone tries to sugar coat it, a service like Have I been pwned (HIBP) which deals with billions of records hacked out of other peoples systems is always going to sit in a grey area. There are degrees, of course; at one end of the spectrum [...] --------------------------------------------- https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/ ===================== = Advisories = ===================== ∗∗∗ Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface ∗∗∗ --------------------------------------------- A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance. --------------------------------------------- https://support.citrix.com/article/CTX227928 ∗∗∗ IBM Security Bulletin: privilege escalation in IBM Business Process Manager (BPM) – CVE-2017-1539 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007451 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Center Console (CVE-2017-1531) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007354 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Admin Console (CVE-2017-1530) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007351 ∗∗∗ IBM Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007346 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1425 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006265 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21996096 ∗∗∗ Alert for CVE-2017-9805 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-388… ∗∗∗ Apache ActiveMQ vulnerability CVE-2016-6810 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55444705 ∗∗∗ HPESBNS03775 rev.1 - HPE NonStop Samba, Remote Disclosure of Information, Authentication Bypass, Unauthorized Elevation of Privilege ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2017
by Daily end-of-shift report 22 Sep '17

22 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-09-2017 18:00 − Freitag 22-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CLKSCREW Attack Can Hack Modern Chipsets via Their Power Management Features ∗∗∗ --------------------------------------------- A team of three scientists from Columbia University has discovered that by attacking the combo of hardware and software management utilities embedded with modern chipsets, threat actors can take over systems via an attack surface found in almost all modern electronic devices. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/clkscrew-attack-can-hack-mod… ∗∗∗ Ecommerce Security: Fake Jquery Used as CC Scraper ∗∗∗ --------------------------------------------- In the last few months, we noticed an increase in attacks targeting ecommerce platforms aiming to steal credit card information. We saw a similar rise last year after the summer ended, and believe that trend will continue now that the holiday season is quickly approaching. Most of these attacks are based on intercepting the communication between the online store and the payment gateway (the checkout process) in order to send valuable information to the attacker. --------------------------------------------- https://blog.sucuri.net/2017/09/fake-jquery-used-cc-scraper-ecommerce.html ∗∗∗ How I hacked hundreds of companies through their helpdesk ∗∗∗ --------------------------------------------- Months ago I discovered a flaw hackers can use to access a companys internal communications. The flaw only takes a couple of clicks to potentially access intranets, social media accounts such as Twitter, and most commonly Yammer and Slack teams. --------------------------------------------- https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-… ∗∗∗ Passwords to Over a Half Million Car Tracking Devices Leaked Online ∗∗∗ --------------------------------------------- We’ve seen a lot of data breaches this year: some big, some small, some that are dangerous, and some that are just embarrassing. But if we were to name one as the creepiest data breach of 2017, this leak of logins for car tracking devices might take the cake. --------------------------------------------- https://gizmodo.com/passwords-to-access-over-a-half-million-car-tracking-de… ∗∗∗ Tips for Reverse-Engineering Malicious Code ∗∗∗ --------------------------------------------- This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. --------------------------------------------- https://zeltser.com/reverse-engineering-malicious-code-tips/ ∗∗∗ Hack the Hacker – Fuzzing Mimikatz On Windows With WinAFL & Heatmaps (0day) ∗∗∗ --------------------------------------------- In this blogpost, I want to explain two topics from a theoretical and practical point of view: How to fuzz windows binaries with source code available (this part is for developers) and How to deal with big input files (aka heatmap fuzzing) and crash analysis (for security consultants; more technical) --------------------------------------------- https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikat… ===================== = Advisories = ===================== ∗∗∗ Schneider Electric InduSoft Web Studio, InTouch Machine Edition ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a missing authentication for critical function vulnerability in Schneider Electrics InduSoft Web Studio and InTouch Machine Edition. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01 ∗∗∗ Ctek, Inc. SkyRouter ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in the Ctek, Inc. SkyRouter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-02 ∗∗∗ Digium Asterisk GUI ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an OS command injection vulnerability in Digiums Asterisk GUI. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-03 ∗∗∗ iniNet Solutions GmbH SCADA Webserver ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in iniNet Solutions GmbH’s SCADA Webserver. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-04 ∗∗∗ Saia Burgess Controls PCD Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an information exposure vulnerability in Saia Burgess Controls PCD Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-05 ∗∗∗ DFN-CERT-2017-1682: Perl: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1682/ ∗∗∗ Security Advisory - Information Leakage Vulnerability on OceanStor ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Notice - Statement on App Lock Bypass Vulnerability in Huawei EMUI ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170922-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099638 ∗∗∗ IBM Security Bulletin: API Connect is affected by a vulnerability by which an authenticated user could generate an API token ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008588 ∗∗∗ IBM Security Bulletin: API Connect is affected by a Cross Frame Scripting vulnerability CVE-2017-1551 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008372 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007168 ∗∗∗ IBM Security Bulletin: HTML injection vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1424 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005112 ∗∗∗ IBM Security Bulletin: Security Identity Adapter data traffic to/from server is not encrypted by default ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007381 ∗∗∗ IBM Security Bulletin: Potential information leakage during process app export in IBM Business Process Manager (CVE-2017-1346) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004654 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability in Business Space Help affects IBM Business Process Manager (BPM) and WebSphere Process Server (WPS) – CVE-2013-0464 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005596 ∗∗∗ EMC M&R Watch4net for SAS Solution Packs WebService Gateway Directory Traversal Flaw Lets Remote Authenticated Users Access and Modify Data and JMX Protocol Flaw Lets Remote Users Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039418 ∗∗∗ EMC ViPR SRM WebService Gateway Directory Traversal Flaw Lets Remote Authenticated Users Access and Modify Data and JMX Protocol Flaw Lets Remote Users Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039417 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2017
by Daily end-of-shift report 21 Sep '17

21 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-09-2017 18:00 − Donnerstag 21-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transportverschlüsselung zwischen Mailservern ∗∗∗ --------------------------------------------- Empfehlungen zur Konfiguration mit Beispielen für Postfix und exim --------------------------------------------- https://www.dfn-cert.de/aktuell/smtp-transportverschluesselung.html ∗∗∗ Optimierungsprogramm: Ccleaner-Malware sollte wohl Techkonzerne ausspionieren ∗∗∗ --------------------------------------------- Cisco widerspricht Avast: Die zweite Stufe der mit Ccleaner verteilten Malware sei sehr wohl aktiviert worden. Angeblich sollen die Macher der Kampagne es auf Betriebsgeheimnisse großer Techfirmen abgesehen haben. --------------------------------------------- https://www.golem.de/news/optimierungsprogramm-ccleaner-malware-sollte-wohl… ∗∗∗ FedEX: TNT verliert durch NotPetya 300 Millionen US-Dollar ∗∗∗ --------------------------------------------- Angriffe auf die IT-Infrastruktur sind teuer: Nach Maersk hat auch das Logistikunternehmen TNT einen erheblichen Verlust durch NotPetya bekannt gegeben. Die Reparatur aller Systeme soll bis Ende September abgeschlossen werden. --------------------------------------------- https://www.golem.de/news/fedex-tnt-verliert-durch-notpetya-300-millionen-u… ∗∗∗ Deep-Learning PassGAN Tool Improve Password Guessing ∗∗∗ --------------------------------------------- A deep-learning network known as a GAN has been applied to passwords, and a tool called PassGAN significantly improves the ability to guess user passwords over tools such as Hashcat or John the Ripper. --------------------------------------------- http://threatpost.com/deep-learning-passgan-tool-improve-password-guessing/… ∗∗∗ Introducing Burplay, A Burp Extension for Detecting Privilege Escalations ∗∗∗ --------------------------------------------- The seventh entry on the most recent OWASP Top 10 release (from 2013, due to the 2017 release candidate being rejected!) is "Missing Function Level Access Control", which is essentially what leads to Privilege Escalation issues. This common vulnerability related... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Burplay,-A-… ∗∗∗ New FinFisher surveillance campaigns: Are internet providers involved? ∗∗∗ --------------------------------------------- New surveillance campaigns utilizing FinFisher, infamous spyware known also as FinSpy and sold to governments and their agencies worldwide, are in the wild. Besides featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement. --------------------------------------------- https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campai… ∗∗∗ Intel Management Engine gehackt ∗∗∗ --------------------------------------------- Sicherheitsexperten zeigten, wie sie eine Sicherheitslücke in Intels ME-Firmware nutzen, um unsignierten Code auszuführen. Die ME hat im Prinzip unbeschränkten Zugriff auf die Hardware des Systems, kann aber von Virenscannern nicht überwacht werden. --------------------------------------------- https://heise.de/-3837239 ∗∗∗ Verschlüsselung: Gpg4win 3.0 hält sich dezent im Hintergrund ∗∗∗ --------------------------------------------- Die Windows-Softwaresammlung Gpg4win verwendet Version 2.2 der freien Krypto-Engine GnuPG und sorgt dafür, dass Outlook mit dem OpenPGP/MIME-Standard umgehen kann. --------------------------------------------- https://heise.de/-3837176 ===================== = Advisories = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 20, 2017 The Samba Team has released security updates to address several vulnerabilities in Samba. An attacker could exploit any of these vulnerabilities to obtain access to potentially sensitive information.US-CERT encourages users and administrators to review the Samba Security Announcements for CVE-2017-12150, CVE-2017-12151, and CVE-2017-12163 and apply the necessary updates, or refer to their Linux or Unix-based OS vendors for appropriate patches. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/20/Samba-Releases-Sec… ∗∗∗ Page Access - Unsupported - SA-CONTRIB-2017-75 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910306 ∗∗∗ Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910308 ∗∗∗ Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2907118 ∗∗∗ Security Update for tvOS 11 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208113 ∗∗∗ Security Update for watchOS 4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208115 ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wide Area Application Services HTTP Application Optimization Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco UCS Central Software Command Line Interface Restricted Shell Break Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business SPA300, SPA500, and SPA51x Series IP Phones Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Managed Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FindIT DLL Preloading Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Customer Voice Portal Operations Console Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center User Interface Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Vulnerability in the Linux Kernel affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems (CVE-2017-6214) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099637 ∗∗∗ IBM Security Bulletin: IBM MQ termination of a client application causes denial of service (CVE-2017-1235) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005415 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL, GNUTls, RHEL CVE-2016-8610 'SSL-Death-Alert' affects IBM Cisco switches and directors. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010572 ∗∗∗ IBM Security Bulletin: Multiple Java Vulnerabilities affect DB2 Text Search Stand Alone Accessories Suite ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007190 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2601, CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 ∗∗∗ HPESBHF03705 rev.2 - HPE Integrated Lights-Out 4 and Moonshot Remote Console Administrator (iLO 4 and MRCA) Remote Disclosure of Information ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2017
by Daily end-of-shift report 20 Sep '17

20 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-09-2017 18:00 − Mittwoch 20-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests ∗∗∗ --------------------------------------------- iTerm2, a popular Mac application that comes as a replacement for Apples official Terminal app, just received a security fix minutes ago for a severe security issue that leaked terminal content via DNS requests. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-… ∗∗∗ New tool: mac-robber.py, (Tue, Sep 19th) ∗∗∗ --------------------------------------------- On a recent forensic investigation where we couldn't take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some reason, it failed. So, I tried mac-robber (also from TSK) and it, too, failed. Not one to give up easily, I decided to write my own version of mac-robber in Python. Like the TSK mac-robber, [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22844 ===================== = Advisories = ===================== ∗∗∗ PHOENIX CONTACT mGuard Device Manager ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper access control vulnerabilities within PHOENIX CONTACTs mGuard Device Manager associated with Oracle Java SE. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-262-01 ∗∗∗ WordPress 4.8.2 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. --------------------------------------------- https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance… ∗∗∗ Apple Security Updates ∗∗∗ --------------------------------------------- iOS 11: https://support.apple.com/en-us/HT208112 Safari 11: https://support.apple.com/en-us/HT208116 Xcode 9: https://support.apple.com/en-us/HT208103 --------------------------------------------- ∗∗∗ DFN-CERT-2017-1665: Apache Foundation Tomcat: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1665/ ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei CPE Devices ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ F5 TMM vulnerability CVE-2017-6147 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43945001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2017
by Daily end-of-shift report 19 Sep '17

19 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 18-09-2017 18:00 − Dienstag 19-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Avast Clarifies Details Surrounding CCleaner Malware Incident ∗∗∗ --------------------------------------------- Avast published earlier today a post-mortem of the CCleaner malware incident, in the hopes to clarify some of the details surrounding the event that many of its users found troubling. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surr… ∗∗∗ Apples FaceID ∗∗∗ --------------------------------------------- This is a good interview with Apples SVP of Software Engineering about FaceID. Honestly, I dont know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it cant be hacked with fake faces. I dislike the fact that the police can point the phone at someone and have it automatically unlock. So this is important: I also quizzed Federighi about the exact way you "quick disabled" Face ID in tricky scenarios -- like being stopped by police, or [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/09/apples_faceid.html ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this: [...] --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks ∗∗∗ --------------------------------------------- Two-factor authentication by SMS? More like SOS Once again, its been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages. --------------------------------------------- https://www.theregister.co.uk/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/ ∗∗∗ Open Hadoop Service Scanning Project ∗∗∗ --------------------------------------------- If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at the Hadoop Namenode or Datanode web service. The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have one or both of these hadoop services service running. The goal of this project is to identify openly accessible systems that have these services running and report them back to the network owners for [...] --------------------------------------------- https://hadoopscan.shadowserver.org/ ∗∗∗ Call for Papers IT-SECX 2017 - "Future incident response" ∗∗∗ --------------------------------------------- Die IT-SECX ist eine Security-Konferenz mit Vorträgen und Workshops. [...] Das Motto der heurigen IT-SECX ist "Future incident response" mit dem Ziel aktuelle gezielte Angriffe, Malwarekampagnen und Gegenmaßnahmen zu diskutieren. Mit diesem Fokus sind Einreichungen für Vorträge zu folgenden Themen erwünscht: [...] --------------------------------------------- https://itsecx.fhstp.ac.at/call-for-papers/ ∗∗∗ Gefährdeter Datenschutz: Firefox löscht lokale Datenbanken nicht ∗∗∗ --------------------------------------------- Der Firefox-Browser bringt ein großes Datenschutzproblem mit sich. Nur umständlich lässt sich die Firefox-Chronik von Nutzern löschen. Webseiten können mühelos auf zuvor im Browser gespeicherte Daten zugreifen. --------------------------------------------- https://heise.de/-3835084 ∗∗∗ PC-Wahl: CCC demonstriert erneut einen Angriff und bietet Open-Source-Hilfe ∗∗∗ --------------------------------------------- Mit einem demonstrativen Hack macht der CCC auf ein erneutes Sicherheitsproblem der bereits mehrfach nachgebesserten Wahl-Software aufmerksam. Eine Open-Source-Spende soll PC-Wahl jetzt zu einer sicheren Update-Funktion verhelfen. --------------------------------------------- https://heise.de/-3835282 ∗∗∗ Unternehmen im Visier von Cyber-Kriminellen ∗∗∗ --------------------------------------------- Mit gefälschten Zahlungsanweisungen versuchen Kriminelle, von Unternehmen hohe Geldsummen zu stehlen. Ihre Nachrichten richten sich direkt an die Buchhaltung und geben vor, dass sie von der Geschäftsführung stammen. Mitarbeiter/innen, die auf den sogenannten CEO-Betrug hereinfallen, verursachen hohe Verluste. Wir zeigen Ihnen, wie Sie Ihr Unternehmen vor diesem Betrug schützen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/unternehmen-im-visier-von-cyber… ===================== = Advisories = ===================== ∗∗∗ [20170901] - Core - Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Low Versions: 3.7.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-August-4 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14595 Description A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. Affected Installs Joomla! CMS versions 3.7.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/710-20170901-core-information-… ∗∗∗ [20170902] - Core - LDAP Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Medium Versions: 1.5.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-July-27 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14596 Description Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password. Affected Installs Joomla! CMS versions 1.5.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/711-20170902-core-ldap-informa… ∗∗∗ Security Advisory 2017-04: Security Update for all OTRS Versions ∗∗∗ --------------------------------------------- September 18, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org --------------------------------------------- https://www.otrs.com/security-advisory-2017-04-security-update-otrs-version… ∗∗∗ DSA-3978 gdk-pixbuf - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3978 ∗∗∗ DSA-3977 newsbeuter - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3977 ∗∗∗ DFN-CERT-2017-1643: Moodle: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1643/ ∗∗∗ Security Advisory - Multiple Vulnerabilities in MTK Platform ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170919-… ∗∗∗ IBM Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008323 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect API Connect ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008382 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational Synergy ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008122 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1382) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007663 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1380) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007665 ∗∗∗ Expat vulnerability CVE-2016-0718 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52320548 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2017
by Daily end-of-shift report 18 Sep '17

18 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-09-2017 18:00 − Montag 18-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Machine Learning Myths ∗∗∗ --------------------------------------------- “Machine learning” is the new “it” buzzword in security. As a result, it’s being thrown around fairly loosely on vendor websites and in marketing materials. Not only is that unfortunate for anyone looking to get a straight answer on how machine learning can help their company stay more secure, it is also fostering a general sense of confusion around what the term actually means. To help clear things up, let’s take a closer look at six of the most common [...] --------------------------------------------- https://feeds.feedblitz.com/~/459728214/0/alienvault-blogs~Machine-Learning… ∗∗∗ Optionsbleed: Apache-Webserver blutet ∗∗∗ --------------------------------------------- Beim Apache-Webserver lassen sich in bestimmten Konfigurationen Speicherfragmente durch einen Angreifer auslesen. Besonders kritisch ist diese Lücke in Shared-Hosting-Umgebungen. --------------------------------------------- https://www.golem.de/news/optionsbleed-apache-webserver-blutet-1709-130105-… ∗∗∗ CCleaner: Avast verteilt Malware mit Optimierungsprogramm ∗∗∗ --------------------------------------------- So hatten sich Nutzer die Optimierung des PCs sicher nicht vorgestellt: Eine Version von CCleaner wurde für rund einen Monat mit Malware ausgeliefert. --------------------------------------------- https://www.golem.de/news/ccleaner-avast-verteilt-malware-mit-optimierungsp… ∗∗∗ An (un)documented Word feature abused by attackers ∗∗∗ --------------------------------------------- A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content. --------------------------------------------- http://securelist.com/an-undocumented-word-feature-abused-by-attackers/8189… ∗∗∗ Malicious Backdoors: Fake Images and Strrev Functions ∗∗∗ --------------------------------------------- When a website is compromised, attackers frequently leave behind a backdoor – according to our research around 70% of all website hacks include a backdoor. These backdoors are not designed to attack a website or destroy data, instead they allow an attacker to re-enter a targeted website with little to no authentication, providing them with unauthorized access to the system. Backdoors can be planted anywhere within a site, file system, or database. --------------------------------------------- https://blog.sucuri.net/2017/09/malicious-backdoors-fake-images-strrev-func… ∗∗∗ Achtung: Aktuelle Spam-Mails fälschen Absender von Mitarbeitern ∗∗∗ --------------------------------------------- Akute Gefahr geht von einer Schädlingswelle aus, die per E-Mail anrollt. Durch eine clevere Wahl der Absender könnten auch versierte Anwender verleitet werden, dem darin enthaltenen Link zu folgen. Er führt zu bislang weitgehend unerkannter Malware. --------------------------------------------- https://heise.de/-3834782 ∗∗∗ Keine Sicherheits-App der Erste Bank installieren ∗∗∗ --------------------------------------------- In einer gefälschten Erste Bank-Nachricht fordern Kriminelle Kund/innen dazu auf, dass sie eine Sicherheits-App für ihr mobiles Endgerät installieren. Das sei angeblich notwendig, damit diese weiterhin ihren OnlineBanking-Zugang nützen können. In Wahrheit ist die Sicherheits-App Schadsoftware. Sie ermöglicht es Unbekannten, auf die Konten ihrer Opfer zuzugreifen. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/keine-sicherheits-app-der-e… ∗∗∗ People cant read (Equifax edition) ∗∗∗ --------------------------------------------- One of these days Im going to write a guide for journalists reporting on the cyber. One of the items Id stress is that they often fail to read the text of what is being said, but instead read some sort of subtext that wasnt explicitly said. This is valid sometimes -- as the subtext is what the writer intended all along, even if they didnt explicitly write it. Other times, though the imagined subtext is not what the writer intended at all. A good example is the recent Equifax breach. --------------------------------------------- http://blog.erratasec.com/2017/09/people-cant-read-equifax-edition.html ===================== = Advisories = ===================== ∗∗∗ DSA-3974 tomcat8 - security update ∗∗∗ --------------------------------------------- Two issues were discovered in the Tomcat servlet and JSP engine. --------------------------------------------- https://www.debian.org/security/2017/dsa-3974 ∗∗∗ DSA-3975 emacs25 - security update ∗∗∗ --------------------------------------------- Charles A. Roelli discovered that Emacs is vulnerable to arbitrary codeexecution when rendering text/enriched MIME data (e.g. when usingEmacs-based mail clients). --------------------------------------------- https://www.debian.org/security/2017/dsa-3975 ∗∗∗ DSA-3976 freexl - security update ∗∗∗ --------------------------------------------- Marcin Icewall Noga of Cisco Talos discovered two vulnerabilities infreexl, a library to read Microsoft Excel spreadsheets, which mightresult in denial of service or the execution of arbitrary code if amalformed Excel file is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3976 ∗∗∗ ZDI-17-811: EMC Data Protection Advisor Application Service Static Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on vulnerable installations of EMC Data Protection Advisor. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-811/ ∗∗∗ Magento 2.0.16 and 2.1.9 Security Update ∗∗∗ --------------------------------------------- Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/magento-2016-and-219-security-update ∗∗∗ SUPEE-10266 ∗∗∗ --------------------------------------------- SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/supee-10266 ∗∗∗ BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Vuln: Moodle CVE-2017-12157 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/100848 ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Meeting Server TURN Server Unauthorized Access and Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1634: ChakraCore: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1634/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008401 ∗∗∗ IBM Security Bulletin: A vulnerability in XStream affects IBM InfoSphere Information Governance components ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004784 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-3511, CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006034 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006028 ∗∗∗ IBM Security Bulletin: Sweet32 vulnerability affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-2183) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006040 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1137) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006029 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1121) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006027 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008182 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® WebSphere Real Time ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006696 ∗∗∗ IBM Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008410 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2017
by Daily end-of-shift report 15 Sep '17

15 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-09-2017 18:00 − Freitag 15-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ten Malicious Libraries Found on PyPI - Python Package Index ∗∗∗ --------------------------------------------- The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-foun… ∗∗∗ Equifax Confirms March Struts Vulnerability Behind Breach ∗∗∗ --------------------------------------------- Equifax divulged on Wednesday that the culprit behind this summers breach of 143 million Americans was an Apache Struts vulnerability, CVE-2017-5638, patched back in March. --------------------------------------------- http://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-br… ∗∗∗ VMware Patches Bug That Allows Guest to Execute Code on Host ∗∗∗ --------------------------------------------- Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical. --------------------------------------------- http://threatpost.com/vmware-patches-bug-that-allows-guest-to-execute-code-… ∗∗∗ Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users ∗∗∗ --------------------------------------------- Even after so many efforts by Google, malicious apps somehow managed to fool its Play Stores anti-malware protections and infect people with malicious software. The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks. Security firm Check Point on --------------------------------------------- https://thehackernews.com/2017/09/play-store-malware.html ∗∗∗ Google veröffentlicht API zum Malware-Schutz für Android ∗∗∗ --------------------------------------------- Mit der SafetyNet Verify Apps API können Apps überprüfen, ob Android-Endgeräte Google Play Protect verwenden. Auch der Zugriff auf die Scan-Funktion ist über die Schnittstelle möglich. --------------------------------------------- https://heise.de/-3832697 ∗∗∗ Bashware: Windows 10 über Linux-Komponente angreifbar ∗∗∗ --------------------------------------------- Die Sicherheitsfirma Checkpoint hat eine Möglichkeit gefunden, wie man Windows-10-Rechner über die optionalen Linux-Komponenten des Betriebssystems angreifen kann. Allerdings übertreiben die Forscher den Ernst der Lage gehörig. --------------------------------------------- https://heise.de/-3833695 ∗∗∗ Malvertising-Kampagne setzt auf Krypto-Mining in fremden Browsern ∗∗∗ --------------------------------------------- Fremde CPU-Leistung mittels Malware zum Mining von Bitcoins und Co. zu missbrauchen, ist eine altbewährte Strategie. Eine aktuelle Malvertising-Kampagne im osteuropäischen Raum verlegt das Mining per JavaScript direkt in den Webbrowser. --------------------------------------------- https://heise.de/-3833536 ===================== = Advisories = ===================== ∗∗∗ LOYTEC LVIS-3ME ∗∗∗ --------------------------------------------- This advisory contains mitigation details for relative path traversal, insufficient entropy, cross-site scripting and insufficiently protected credentials vulnerabilities within LOYTECs LVIS-3ME HMI touch panel. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01 ∗∗∗ VMSA-2017-0015 ∗∗∗ --------------------------------------------- VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0015.html ∗∗∗ USN-3417-1: Libgcrypt vulnerability ∗∗∗ --------------------------------------------- Ubuntu Security Notice USN-3417-1 14th September, 2017 libgcrypt20 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Libgcrypt could be made to expose sensitive information. Software description libgcrypt20 - LGPL Crypto library Details Daniel Genkin, Luke Valenta, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover Curve25519 private keys. --------------------------------------------- http://www.ubuntu.com/usn/usn-3417-1/ ∗∗∗ IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by a security vulnerability in Python (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010471 ∗∗∗ IBM Security Bulletin: Open Source Apache PDFBox Vulnerabilities in IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21991021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2017
by Daily end-of-shift report 14 Sep '17

14 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-09-2017 18:00 − Donnerstag 14-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Zerodium Offering $1M for Tor Browser Zero Days ∗∗∗ --------------------------------------------- Exploit acquisition vendor Zerodium said Wednesday it will pay up to $1M for an unknown Tor Browser zero day. --------------------------------------------- http://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/ ∗∗∗ Another webshell, another backdoor! ∗∗∗ --------------------------------------------- Im still busy to follow how webshells are evolving... I recently found another backdoor in another webshell called "cor0.id". The best place to find webshells remind pastebin.com. When Im testing a webshell, I copy it in a VM located on a "wild Internet" VLAN in my home lab with, amongst other controls, full packet capture enabled. --------------------------------------------- https://isc.sans.edu/diary/rss/22826 ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this ... --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Samsung’s launches bug bounty program and will reward up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software ∗∗∗ --------------------------------------------- Samsung says,”We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports,”. --------------------------------------------- https://www.techposts.net/samsung-launches-bug-bounty-program-offering-boun… ∗∗∗ Enlarge your botnet with: top D-Link routers (DIR8xx D-Link routers cruisin for a bruisin) ∗∗∗ --------------------------------------------- In this article, we are going to discuss vulnerabilities detected in the top D-Link routers. The devices use the same code, thus giving a magnificent and quite tempting opportunity to attackers to add them to a botnet. Moreover, we have managed to make Mirai for the devices by modifying its compilation script a bit. --------------------------------------------- https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-lin… ∗∗∗ "Display Widgets": WordPress-Plugin mit Backdoor aus Repository entfernt ∗∗∗ --------------------------------------------- Ein Plugin zur Verwaltung von WordPress-Widgets enthielt eine Backdoor, die dessen Herausgeber über Monate hinweg den Fernzugriff ermöglichte. Nun wurde es endgültig aus dem WordPress-Repository entfernt. Ein Update säubert bestehende Installationen. --------------------------------------------- https://heise.de/-3831761 ∗∗∗ Schwere Lücke im Router D-Link DIR-850L: Patches kommen am 19. September ∗∗∗ --------------------------------------------- Die Heimrouter können von Angreifern aus der Ferne übernommen werden. Bisher gibt es kein Update, da der Entdecker der Lücken D-Link vor der Veröffentlichung nicht informiert hat. Nun hat die Firma das Datum mitgeteilt, ab dem es Patches geben soll. --------------------------------------------- https://heise.de/-3832456 ∗∗∗ End of extended support for Office 2007 ∗∗∗ --------------------------------------------- The end of extended support for the Office 2007 family of desktop and server products is coming up next month. See Office 2007 approaching end of extended support for more details and the list of affected products. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/09/13… ===================== = Advisories = ===================== ∗∗∗ DSA-3972 bluez - security update ∗∗∗ --------------------------------------------- An information disclosure vulnerability was discovered in the ServiceDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker toobtain sensitive information from bluetoothd process memory, includingBluetooth encryption keys. --------------------------------------------- https://www.debian.org/security/2017/dsa-3972 ∗∗∗ Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074 ∗∗∗ --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-074 Vulnerability: Cross Site Request Forgery Description: The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. --------------------------------------------- https://www.drupal.org/node/2908592 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2017-1289) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007617 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002883 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002863 ∗∗∗ Persistent Cross-Site Scripting in SilverStripe CMS ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/persistent-cross-site-script… ∗∗∗ Authenticated Command Injection in Ubiquiti Networks UniFi Cloud Key ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authenticated-command-inject… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2017
by Daily end-of-shift report 13 Sep '17

13 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-09-2017 18:00 − Mittwoch 13-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 4,000 ElasticSearch Servers Found Hosting PoS Malware Files ∗∗∗ --------------------------------------------- The Kromtech Security Center has identified over 4,000 instances of ElasticSearch servers that are hosting files specific to two strains of POS (Point of Sale) malware — AlinaPOS and JackPOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-elasticsearch-ser… ∗∗∗ Blueborne: Sicherheitslücken gefährden fünf Milliarden Bluetooth-Geräte ∗∗∗ --------------------------------------------- Etwa fünf Milliarden Geräte weltweit sollen von kritischen Bluetooth-Sicherheitslücken betroffen sein. Die Fehler liegen jedoch nicht im Protokoll, sondern in den entsprechenden Stacks von Windows, Linux und Android. Bei Apple sind nur ältere Geräte von Blueborne betroffen. --------------------------------------------- https://www.golem.de/news/bluetooth-kritische-sicherheitsluecken-ermoeglich… ∗∗∗ Exploit for CVE-2017-8759 detected and neutralized ∗∗∗ --------------------------------------------- The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-87… ∗∗∗ Hackers Got Into America’s Power Grid. But Don’t Freak Out. ∗∗∗ --------------------------------------------- Last week cybersecurity firm Symantec released a report on what it calls Dragonfly 2.0—a collection of intrusions into industrial and energy-related organizations worldwide. For the last six years, the Dragonfly intrusions and others have regularly gone deeper into the operational networks that control elements of America’s power grid. --------------------------------------------- http://fortune.com/2017/09/11/dragonfly-2-0-symantec-hackers-power-grid/ ∗∗∗ WordPress’ Poor Handling of Plugin Security Exacerbates Malicious Takeover of Display Widgets ∗∗∗ --------------------------------------------- Recently there has been a fair amount of coverage of popular Chrome extensions being modified to include malicious code after the login credentials used to control them in the Chrome Web Store had been compromised .. --------------------------------------------- https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of… ∗∗∗ Adobe stopft Sicherheitslücken in Flash, ColdFusion und RoboHelp ∗∗∗ --------------------------------------------- Auch bei Adobe ist wieder Patchday und der Tradition entsprechend patcht die Firma zu dieser Gelegenheit wieder einmal kritische Lücken im Flash Player. Auch ColdFusion und RoboHelp erhalten Updates. --------------------------------------------- https://heise.de/-3830067 ∗∗∗ Compromised LinkedIn accounts used to send phishing links via private message and InMail ∗∗∗ --------------------------------------------- A recent attack uses existing LinkedIn user accounts to send phishing links to their contacts via private message .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/compromised-linkedin-… ∗∗∗ Patchday: Microsoft stopft Staatstrojaner-Schlupfloch ∗∗∗ --------------------------------------------- Lücke in Word und .NET-Framework wurde von FinFisher-Malware ausgenutzt --------------------------------------------- http://derstandard.at/2000064009454 ===================== = Advisories = ===================== ∗∗∗ DSA-3971 tcpdump - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3971 ∗∗∗ DSA-3970 emacs24 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3970 ∗∗∗ DSA-3969 xen - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3969 ∗∗∗ Local File Disclosure in VLC media player iOS app ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc… ∗∗∗ Multiple Vulnerabilities in IBM Infosphere Information Server / Datastage ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2017
by Daily end-of-shift report 12 Sep '17

12 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 11-09-2017 18:00 − Dienstag 12-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Miners on the Rise ∗∗∗ --------------------------------------------- Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially. --------------------------------------------- http://securelist.com/miners-on-the-rise/81706/ ∗∗∗ Google to kill Symantec certs in Chrome 66, due in early 2018 ∗∗∗ --------------------------------------------- This is how trust ends, not with a bang but with a whimper Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.… --------------------------------------------- www.theregister.co.uk/2017/09/12/chrome_66_to_reject_symantec_certs/ ∗∗∗ D-Link DIR-850L: Router können gekapert werden, Patches nicht verfügbar ∗∗∗ --------------------------------------------- In D-Links Heimrouter 850L klaffen schwerwiegende Sicherheitslücken, über die Angreifer die Geräte in ihre Kontrolle bringen können. Updates, welche die Lücken schließen, sind vorerst nicht zu erwarten. --------------------------------------------- https://heise.de/-3828382 ∗∗∗ SAP Security Patch Day – September 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly .. --------------------------------------------- https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/ ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe RoboHelp (APSB17-25), Adobe Flash Player (APSB17-28) and ColdFusion (APSB17-30). Adobe recommends users update their product .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1491 ∗∗∗ DSA-3968 icedove - security update ∗∗∗ --------------------------------------------- Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2017/dsa-3968 ∗∗∗ Email verification bypass in SAP E-Recruiting ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/email-verification-bypass-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2017
by Daily end-of-shift report 11 Sep '17

11 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-09-2017 18:00 − Montag 11-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Energieversorgung: E-Mail-Konten sind besser gesichert als Windparks ∗∗∗ --------------------------------------------- Windparks machen einen professionellen Eindruck, doch bei der IT-Sicherheit hapert es leider. Recherchen von Internetwache.org und Golem.de zeigen eine Menge Schwachstellen und ein Chaos bei der Zuständigkeit. --------------------------------------------- https://www.golem.de/news/energieversorgung-e-mail-konten-sind-besser-gesic… ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Australian researchers show how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch.… --------------------------------------------- www.theregister.co.uk/2017/09/07/cross_domain_desktop_compositor_vdi_for_th… ∗∗∗ Apache Foundation rebuffs allegation it allowed Equifax attack ∗∗∗ --------------------------------------------- Timeline explains that either Equifax didnt patch old bugs, or was zero-dayed The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak.… --------------------------------------------- www.theregister.co.uk/2017/09/11/apache_rebuts_equifax_allegation/ ∗∗∗ Bug im Windows-Kernel könnte durch Schadcode missbraucht werden ∗∗∗ --------------------------------------------- Im Windows-Kernel schlummert seit Jahren eine Lücke, die in einigen Fällen dafür sorgen könnte, dass Malware vom Radar von Sicherheitssoftware verschwindet. Laut ihrem Entdecker zeigt sich Microsoft bislang aber eher desinteressiert. --------------------------------------------- https://heise.de/-3825130 ∗∗∗ Equifax Breach Response Turns Dumpster Fire ∗∗∗ --------------------------------------------- I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans. --------------------------------------------- https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-… ∗∗∗ Hack: 143 Millionen US-Amerikanern droht Identitätsdiebstahl ∗∗∗ --------------------------------------------- Datendiebstahl bei US-Finanzinstitut Equifax gilt als einer der schlimmsten Einbrüche in der IT-Geschichte --------------------------------------------- http://derstandard.at/2000063850369 ∗∗∗ Another Apache Struts Vulnerability Under Active Exploitation ∗∗∗ --------------------------------------------- This post authored by Nick Biasini with contributions from Alex Chiu.Earlier this week, a critical vulnerability in Apache Struts was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache --------------------------------------------- http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ HPESBNS03755 rev.2 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2017
by Daily end-of-shift report 08 Sep '17

08 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-09-2017 18:00 − Freitag 08-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Daten von 143 Millionen US-Amerikanern entwendet ∗∗∗ --------------------------------------------- Bei einem Cyberangriff auf den US-Finanzdienstleister Equifax wurden äußerst sensible Daten von Millionen Amerikanern erbeutet, die nun Betrug im großen Stil ermöglichen. --------------------------------------------- https://futurezone.at/digital-life/daten-von-143-millionen-us-amerikanern-e… ∗∗∗ Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions ∗∗∗ --------------------------------------------- Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay.The post Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions appeared first on Palo Alto Networks Blog. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/09/unit42-android-toast-ov… ∗∗∗ YASRV (Yet Another Struts RCE Vulnerability) yes a different one from yesterday ∗∗∗ --------------------------------------------- Yesterday saw CVE-2017-9805, today we have a new remote code execution vulnerability in Apache Struts 2 which is CVE-2017-12611. Yesterdays was in the REST API and related to Java XML unsafe deserializarion. Todays relates to using Freemarker in your application. Both should encourage you to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/22796 ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Heres how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/cross_domai… ∗∗∗ TLS-Zertifikate: CAAs sollen Zertifizierungsstellen an die Leine legen ∗∗∗ --------------------------------------------- Admins können mit einer Certification Authority Authorization im DNS festlegen, wer Zertifikate für ihre Domain unterschreiben darf. Ab dem 8. September sind diese Vorgaben für Zertifizierungsstellen verbindlich. --------------------------------------------- https://heise.de/-3822010 ∗∗∗ Sechs Lücken in Android-Bootloadern bekannter Hersteller entdeckt ∗∗∗ --------------------------------------------- Die automatisierte Analyse des Codes zweier Android-Bootloader förderte insgesamt sechs Schwachstellen zutage. Denial-of-Service und Zugriff auf sensible Daten sind mögliche Folgen – allerdings nur dann, wenn der Angreifer bereits Root-Rechte hat. --------------------------------------------- https://heise.de/-3824289 ∗∗∗ Schwachstelle in Typo3-Repository als mögliches Schlupfloch für trojanisierte Erweiterungen ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers hätten Dritte unter Umständen mit beliebigem Passwort auf das Typo3 Extension Repository zugreifen können. Nun warnen die Entwickler vor möglichen Erweiterungen mit Schadcode. --------------------------------------------- https://heise.de/-3825378 ∗∗∗ Keine Kartenaktivierung bei card complete erforderlich ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte card complete-Nachricht. Darin heißt es, dass die Kreditkarte von Kund/innen gesperrt worden sei. Für eine Reaktivierung sollen diese persönliche Daten bekannt geben. Wer der Aufforderung nachkommt, sendet Betrüger/innen seine Kreditkarteninformationen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-kartenaktivierung-bei-card… ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclose three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section of this advisory.Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected ... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01 ∗∗∗ PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-02 ∗∗∗ i-SENS Inc. SmartLog Diabetes Management Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01 ∗∗∗ DFN-CERT-2017-1587/">GDK-PixBuf: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1587/ ∗∗∗ Security Advisory - MITM Vulnerability in Huawei Themes App in Some Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170908-… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007909 ∗∗∗ IBM Security Bulletin: Open Source XStream as used in IBM QRadar SIEM is vulnerable to Denial of Service. (CVE-2017-7957) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008217 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005380 ∗∗∗ IBM Security Bulletin: IBM Java SDK as used in IBM QRadar SIEM is vulnerable to multiple CVE’s. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008210 ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure. (CVE-2017-1162) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008194 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2017
by Daily end-of-shift report 07 Sep '17

07 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-09-2017 18:00 − Donnerstag 07-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackBerry powered by Android Security Bulletin – September 2017 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Ransomware: What you need to know now | Salted Hash Ep 1, Pt 4 ∗∗∗ --------------------------------------------- Reporters Fahmida Rashid and Steve Ragan talk about the latest ransomware threats, the holes in IT security and the burdens on enterprises. --------------------------------------------- https://www.csoonline.com/video/81516/ransomware-what-you-need-to-know-now-… ∗∗∗ Microsoft Programming Error is Behind Dangerous Kernel Bug, Researchers Claim ∗∗∗ --------------------------------------------- Researchers say a 18-year-old programming error by Microsoft is creating a kernel bug that can be abused by an attacker. --------------------------------------------- http://threatpost.com/microsoft-programming-error-is-behind-dangerous-kerne… ∗∗∗ Interesting List of Windows Processes Killed by Malicious Software ∗∗∗ --------------------------------------------- Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity[The post Interesting List of Windows Processes Killed by Malicious Software has been first published on /dev/random] --------------------------------------------- https://blog.rootshell.be/2017/09/06/interesting-list-windows-processes-kil… ∗∗∗ Apache Struts “serialisation” vulnerability – what you need to know ∗∗∗ --------------------------------------------- A bug in Apache Struts, a popular software toolkit for building web services, could let crooks take control of your server. --------------------------------------------- https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vul… ∗∗∗ Hackers Are Distributing Backdoored Cobian RAT Hacking tool For Free ∗∗∗ --------------------------------------------- Nothing is free in this world. If you are searching for free ready-made hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a hoax. Last year, we reported about one such Facebook hacking tool that actually had the capability to hack a Facebook account, but yours and not the one you desire to hack. --------------------------------------------- https://thehackernews.com/2017/09/backdoored-hacking-tools.html ∗∗∗ Expired domain names and malvertising - Malwarebytes Labs ∗∗∗ --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-… ∗∗∗ Gefälschte Microsoft-Warnung führt zu Datendiebstahl ∗∗∗ --------------------------------------------- Kriminelle fälschen einen Microsoft-Warnhinweis. Darin behaupten sie, dass fremde Computer mit Schadsoftware befallen seien. Vermeintliche Opfer sollen sich deshalb an eine Kundenhotline wenden. In Wahrheit gelangen sie an Verbrecher/innen, die Zugang zum Computer fordern, Dateien kopieren und Zahlungsdaten stehlen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/gefaelschte-microsoft-warnung-f… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1567/">IBM Notes: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1567/ ∗∗∗ DFN-CERT-2017-1571/">Cisco ASR 5500 Series Routers: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1571/ ∗∗∗ DFN-CERT-2017-1574/">Cisco Prime Collaboration Provisioning Tool: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Manipulation beliebiger Systemdateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1574/ ∗∗∗ DFN-CERT-2017-1578/">Cisco ASR 920 Series Router: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1578/ ∗∗∗ DFN-CERT-2017-1579/">Cisco IOS, Cisco IOS XE: Zwei Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1579/ ∗∗∗ DFN-CERT-2017-1580/">Cisco IR800 Integrated Services Router: Eine Schwachstelle ermöglicht die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1580/ ∗∗∗ Cisco Prime LAN Management Solution Token ID Reuse Lets Remote Authenticated Users Hijack the Target Users Session ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039285 ∗∗∗ Cisco Catalyst 4000 Series Switch Dynamic ACL Bug Lets Remote Users Bypass Port Access Controls on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039284 ∗∗∗ TYPO3 API Bug Lets Remote Users Obtain Potentially Sensitive Version Information on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039294 ∗∗∗ TYPO3 File Storage Access Control Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039293 ∗∗∗ TYPO3 Input Validation Flaw in Backend Forms Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039292 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2017
by Daily end-of-shift report 06 Sep '17

06 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-09-2017 18:00 − Mittwoch 06-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Gain ‘Switch-Flipping’ Access to US Power Systems ∗∗∗ --------------------------------------------- Hackers who hit American utilities this summer had the power to cause blackouts, Symantec says. --------------------------------------------- https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power… see also: http://derstandard.at/2000063697965 see also: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targ… see also: https://www.bleepingcomputer.com/news/security/sabotage-warning-issued-on-h… ∗∗∗ SynAck Ransomware Sees Huge Spike in Activity ∗∗∗ --------------------------------------------- Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to submissions to the ID-Ransomware service and users who complained on the Bleeping Computer ransomware support forums. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-… ∗∗∗ Stop blaming users for security misses ∗∗∗ --------------------------------------------- Does the message to users about security need to change? Or does IT need to rebuild infrastructure so users can worry less about security? Wendy Nather, principal security strategist at Duo Security, talks with CSO senior writer Fahmida Rashid about how organizations can learn to do security right. --------------------------------------------- https://www.csoonline.com/video/80055/stop-blaming-users-for-security-misse… ∗∗∗ Security and education in the wake of WannaCry, Petya ∗∗∗ --------------------------------------------- Attacks occur for a variety of reasons, and in the wake of the most widespread ransomware attacks, WannaCry and Petya, many organizations are re-evaluating their security practices to figure out what went wrong.While those who were hit are still trying to understand where their security gaps are, others enterprises that rely on legacy systems and cant be patched are looking for ways to prevent being the next victim. No, the vulnerabilities attackers leverage are not new. They prey on systems --------------------------------------------- https://www.csoonline.com/article/3208384/backup-recovery/security-and-educ… ∗∗∗ The 15 biggest data breaches of the 21st centuryy ∗∗∗ --------------------------------------------- Data breaches happen daily, in too many places at once to keep count, take todays news of another Verizon breach that exposed the personal data of 6 million customers and a somewhat less dire breach at 14 Trump hotels. But what constitutes a huge breach versus a small one? CSO compiled a list of 15 of the biggest or most significant breaches of the 21st century.This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for --------------------------------------------- https://www.csoonline.com/article/2130877/data-protection/the-15-biggest-da… ∗∗∗ ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month ∗∗∗ --------------------------------------------- The dreaded hacking group ShadowBrokers posted a new message, promising to deliver two data dumps a month as part its monthly dumps. The notorious group ShadowBrokers is back with announcing new interesting changes to their Dump Service. The hackers published a new message on the Steemit platform announcing new changed to their service. “Missing theshadowbrokers? If someone […]The post ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month appeared first on --------------------------------------------- http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html ∗∗∗ A Critical Apache Struts Security Flaw Makes It Easy To Hack Fortune 100 Firms ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. --------------------------------------------- https://apache.slashdot.org/story/17/09/05/2053200/a-critical-apache-struts… ∗∗∗ Hacker-Angriffe auf MongoDB treffen fast 27.000 Datenbanken ∗∗∗ --------------------------------------------- Erpresserische Angriffe auf sicherheitsanfällige MongoDB-Datenbanken liegen bei Online-Kriminellen bereits seit Ende letzten Jahres im Trend. Nun geht die Abzocke weiter: Drei neue Hackergruppen fordern Bitcoins im Tausch gegen Datenbankinhalte. --------------------------------------------- https://heise.de/-3822955 ∗∗∗ Security flaw affects 750,000 Estonian ID cards ∗∗∗ --------------------------------------------- An international group of cryptographers has flagged a serious security vulnerability in the chip embedded in Estonian ID cards, the country’s Information System Authority has announced. “Estonian experts assess there to be a possible security vulnerability and we will continue to verify the claims of the researchers,” said Taimar Peterkop, Director-General of the agency. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that --------------------------------------------- https://www.helpnetsecurity.com/2017/09/06/estonian-id-cards-security-flaw/ ===================== = Advisories = ===================== ∗∗∗ Apache Struts: Jetzt updaten und kritische Lücke schließen ∗∗∗ --------------------------------------------- Eine soeben veröffentlichte Version von Apache Struts schließt eine kritische Lücke. Die Entwickler und der Entdecker der Sicherheitslücke rechnen damit, dass diese bald für Angriffe auf Firmen missbraucht wird. Also ist jetzt zügiges Handeln angesagt. --------------------------------------------- https://heise.de/-3822948 ∗∗∗ Bugtraq: [security bulletin] HPESBUX03772 rev.1 - HP-UX BIND Service Running Named, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541129 ∗∗∗ DFN-CERT-2017-1558/">Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1558/ ∗∗∗ DFN-CERT-2017-1556/">Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1556/ ∗∗∗ DFN-CERT-2017-1563/">Google Chrome, Chromium: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1563/ ∗∗∗ DFN-CERT-2017-1561/">IBM AIX, IBM VIOS, IBM Java SDK: Mehrere Schwachstellen ermöglichen u.a. die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1561/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22008080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2017
by Daily end-of-shift report 05 Sep '17

05 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 04-09-2017 18:00 − Dienstag 05-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Six-Year-Old "Loop Bug" Re-Discovered to Affect Almost All Major PDF Viewers ∗∗∗ --------------------------------------------- A bug discovered in an obscure PDF parsing library back in 2011 is also present in most of todays top PDF viewers, according to German software developer Hanno Böck. --------------------------------------------- https://www.bleepingcomputer.com/news/software/six-year-old-loop-bug-re-dis… ∗∗∗ TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities ∗∗∗ --------------------------------------------- An attacker can downgrade components of the Android TrustZone technology to older versions that feature known vulnerabilities and use older exploits against smartphones running an up-to-date operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trustzone-downgrade-attack-o… ∗∗∗ The Mirai Botnet: A Look Back and Ahead At Whats Next, (Tue, Sep 5th) ∗∗∗ --------------------------------------------- It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for port:2323 and the use of the password "xc3511" as an indicator. But of course, that isn't perfect. The very first scan using the password "xc3511" was detected by our sensor on February 26th, 2016, well ahead of Mirai. --------------------------------------------- https://isc.sans.edu/diary/rss/22786 ∗∗∗ Hunting Pastebin with PasteHunter ∗∗∗ --------------------------------------------- >From a security analytics and Threat Intelligence perspective Pastebin is a treasure trove of information. All content that is uploaded to pastebin and not explicitly set to private (which requires an account) is listed and can be viewed by anyone. --------------------------------------------- https://techanarchy.net/2017/09/hunting-pastebin-with-pastehunter/ ∗∗∗ Finger weg von SHA-1: 320 Millionen Passwörter geknackt ∗∗∗ --------------------------------------------- Wenn Webseitenbetreiber Passwörter von Kunden nicht sicher verwahren, ist der Super-GAU vorprogrammiert. Daran erinnern abermals Sicherheitsforscher, die in überschaubarer Zeit Millionen Passwörter entschlüsselt haben. --------------------------------------------- https://heise.de/-3822005 ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1547/">Liblouis: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1547/ ∗∗∗ DFN-CERT-2017-1554/">Apache Software Foundation Struts: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1554/ ∗∗∗ Security Notice - Statement About the Bootloader Vulnerabilities in Huawei Mobile Phones Disclosed at the USENIX Conference ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170905-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Jan 2017 – Includes Oracle Jan 2017 CPU affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22001461 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21996956 ∗∗∗ Arbitrary Code Execution in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/arbitrary-code-execution-in-typo3-cms/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms-1/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms/ ∗∗∗ Cross-Site Scripting in TYPO3 CMS Backend ∗∗∗ --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-typo3-cms-backend/ ∗∗∗ USN-3409-1: FontForge vulnerabilities ∗∗∗ --------------------------------------------- http://www.ubuntu.com/usn/usn-3409-1/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2017
by Daily end-of-shift report 04 Sep '17

04 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-09-2017 18:00 − Montag 04-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RTP Bleed: Mit Asterisk-Bug Telefonate belauschen ∗∗∗ --------------------------------------------- Ein Bug in der IP-Telefonielösung Asterisk ermöglicht Angreifern, Telefonate mitzuhören. Das Problem liegt in der zugrundeliegenden RTP-Implementierung. Ein erster Patch ist da, aber noch fehlerhaft. --------------------------------------------- https://www.golem.de/news/rtp-bleed-mit-asterisk-bug-telefonate-belauschen-… ∗∗∗ Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox ∗∗∗ --------------------------------------------- 2017-09-01 update: A different campaign using HoeflerText popups has been active during the same timeframe. I wrote about it here, but the only thing these two campaigns have in common is that they both used HoeflerText popups. --------------------------------------------- https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+Ho… ∗∗∗ Fehler in API: Möglicherweise Millionen Kontaktdaten von Instagram-Usern öffentlich ∗∗∗ --------------------------------------------- Wegen eines Bug in der Kommunikationsschnittstelle zu anderen Apps müssen Millionen Instagram-Nutzer um ihre Privatsphäre fürchten. Betroffen sind laut der Facebook-Tochter nicht nur Prominente. --------------------------------------------- https://heise.de/-3820497 ∗∗∗ Mehrere Sicherheitslücken in RubyGems ∗∗∗ --------------------------------------------- Rubys Paketsystem RubyGems enthält Schwachstellen, die unter anderem DoS-Angriffe und DNS-Hijacking ermöglichen. Ein Update auf die aktuelle Version 2.6.13 bannt die Gefahr. --------------------------------------------- https://heise.de/-3820891 ∗∗∗ Mehrere große Torrent-Seiten offenbar nach Attacken offline ∗∗∗ --------------------------------------------- Eine Reihe prominenter Plattformen wie Torrentproject sind nicht mehr erreichbar – Domains suspendiert, Überlastungsangriffe --------------------------------------------- http://derstandard.at/2000063553913 ===================== = Advisories = ===================== ∗∗∗ DSA-3960 gnupg - security update ∗∗∗ --------------------------------------------- Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that GnuPG is prone to a local side-channel attack allowing full key recovery for RSA-1024. --------------------------------------------- https://www.debian.org/security/2017/dsa-3960 ∗∗∗ DSA-3961 libgd2 - security update ∗∗∗ --------------------------------------------- A double-free vulnerability was discovered in the gdImagePngPtr()function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3961 ∗∗∗ DSA-3962 strongswan - security update ∗∗∗ --------------------------------------------- A denial of service vulnerability was identified in strongSwan, an IKE/IPsecsuite, using Googles OSS-Fuzz fuzzing project. --------------------------------------------- https://www.debian.org/security/2017/dsa-3962 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2017
by Daily end-of-shift report 01 Sep '17

01 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-08-2017 18:00 − Freitag 01-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Boobytrapped Word File Installs Locky Ransomware When You Close the Document ∗∗∗ --------------------------------------------- Summer vacation is over! During the past week, security researchers have discovered several distribution campaigns pushing the Locky ransomware via different methods, including a new variant that features one hell of a clever trick. --------------------------------------------- https://www.bleepingcomputer.com/news/security/boobytrapped-word-file-insta… ∗∗∗ US Government Site Was Hosting Ransomware ∗∗∗ --------------------------------------------- As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. The malware link has since been taken down. --------------------------------------------- http://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-… ∗∗∗ Malware writer offers free trojan to hackers ... with one small drawback ∗∗∗ --------------------------------------------- Beware of geeks bearing Cobian RAT gifts Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/free_trojan… ∗∗∗ Lücke in HPE Operations Orchestration ermöglicht Remote Code Execution ∗∗∗ --------------------------------------------- Die Software Operations Orchestration erlaubt in allen Versionen vor 10.80 die Codeausführung aus der Ferne. Hewlett Packard Enterprise rät zum Update. Auch für zwei Performancetest-Tools des Herstellers stehen Aktualisierungen bereit. --------------------------------------------- https://heise.de/-3819782 ===================== = Advisories = ===================== ∗∗∗ OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-243-04 ∗∗∗ Moxa SoftCMS Live Viewer ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-243-05 ∗∗∗ Automated Logic Corporation ALC WebCTRL, Liebert SiteScan, Carrier i-VU ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-150-01 ∗∗∗ DFN-CERT-2017-1542/">Digium Asterisk, Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1542/ ∗∗∗ SSA-866217: SMBv1 Vulnerabilities in ACUSON S1000/2000/3000 ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-866217… ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Honor 5S Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei APKs ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-… ∗∗∗ IBM Security Bulletin: IBM Expeditor is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002103 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999385 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999384 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by Open Source zlib vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21997877 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a vulnerability in Curl (CVE-2016-7167) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007553 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in bash (CVE-2016-9401, CVE-2016-7543, CVE-2016-0634) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007554 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007416 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Network Protection ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007918 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in Linux kernel ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007552 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of XML External Entity Injection (CVE-2017-1458) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007551 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of Cross-Site Scripting (CVE-2017-1457) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007550 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security has updated commons-fileupload for known vulnerabilities (CVE-2016-3092) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007539 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a less-secure algorithm during negotiations vulnerability (CVE-2017-1491) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007535 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2017
by Daily end-of-shift report 31 Aug '17

31 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-08-2017 18:00 − Donnerstag 31-08-2017 18:00 Handler: Robert Waldner Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Dissecting the Chrome Extension Facebook malware ∗∗∗ --------------------------------------------- The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Lab and Detectify. We were able to get help from the involved companies and cloud services to quickly shut down parts of the attack to mitigate it as fast as possible. --------------------------------------------- http://securelist.com/dissecting-the-chrome-extension-facebook-malware/8171… ∗∗∗ Cyber Security Assessment Netherlands 2017: Digital resilience is lagging behind the increasing threat ∗∗∗ --------------------------------------------- The digital resilience of individuals and organisations is lagging behind the increasing threat. Government, business and citizens take many steps to increase digital resilience, but this is not happening fast enough. This is apparent from the Cyber Security Assessment Netherlands 2017 (CSAN 2017), which demissionary State Secretary Dijkhoff sent to parliament in June and which is being published in English today. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/cyber-security-assessment-n… ∗∗∗ A Framework for Cyber Security Insurance ∗∗∗ --------------------------------------------- New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017.Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public-private partnership. --------------------------------------------- https://www.schneier.com/blog/archives/2017/08/a_framework_for.html ∗∗∗ Mining Adminers – Hackers Scan the Internet For DB Scripts ∗∗∗ --------------------------------------------- Hackers are constantly scanning the internet for exploitable sites, which is why even small, new sites should be fully patched and protected. At the same time, it is not feasible to scan the whole internet with 330+ million domains and billions of web pages. Even Google can’t do it, but hackers are always getting better at reconnaissance. Despite these limitations, scanning just 1% of the internet allows attackers to discover thousands of vulnerable sites. --------------------------------------------- https://blog.sucuri.net/2017/08/mining-adminers-hackers-scan-the-internet-f… ∗∗∗ Herzschrittmacher von St. Jude Medical: Firmware-Patches gegen Sicherheitslücken ∗∗∗ --------------------------------------------- Versierte Hacker können Herzschrittmacher der Marke Abbott angreifen, um Befehle auszuführen und Patientendaten zu stehlen. Implantatträgern wird ein baldiger Arztbesuch empfohlen, um wichtige Firmware-Updates zu installieren. --------------------------------------------- https://heise.de/-3817954 ∗∗∗ Embedded IoT: Krypto-Bibliothek mbed TLS für Lauschattacken anfällig ∗∗∗ --------------------------------------------- Unter gewissen Umständen könnten Angreifer als Man in the Middle den Informationsaustausch von Geräten, die auf mbed TLS setzen, mitschneiden. Abgesicherte Versionen stehen bereit. --------------------------------------------- https://heise.de/-3819197 ∗∗∗ Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities ∗∗∗ --------------------------------------------- Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victims machine. --------------------------------------------- http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html ===================== = Advisories = ===================== ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Compute denial of service vulnerability (CVE-2016-7498) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022227 ∗∗∗ IBM Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022176 ∗∗∗ IBM Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022177 ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022229 ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022228 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007046 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2017
by Daily end-of-shift report 30 Aug '17

30 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-08-2017 18:00 − Mittwoch 30-08-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WireX: Google entfernt 300 DDoS-Apps aus dem Playstore ∗∗∗ --------------------------------------------- Google hat ein DDoS-Botnetz aus Android-Geräten lahmgelegt - und dazu 300 Apps aus dem Playstore entfernt. Rund 70.000 Smartphones wurden infiziert. (DoS, Virus) --------------------------------------------- https://www.golem.de/news/wirex-google-entfernt-300-ddos-apps-aus-dem-plays… ∗∗∗ Introducing WhiteBear ∗∗∗ --------------------------------------------- As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. It is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private report. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. --------------------------------------------- http://securelist.com/introducing-whitebear/81638/ ∗∗∗ Security baseline for Windows 10 “Creators Update” (v1703) – FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for Group Policy settings, and all the settings in spreadsheet... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-f… ∗∗∗ Proof that HMAC-DRBG has No Back Doors ∗∗∗ --------------------------------------------- New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG," by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel.Abstract: We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security -- that its output is pseudorandom -- using a hybrid game-based proof. --------------------------------------------- https://www.schneier.com/blog/archives/2017/08/proof_that_hmac.html ===================== = Advisories = ===================== ∗∗∗ Update to Security Bulletin (APSB17-24) ∗∗∗ --------------------------------------------- The Security Bulletin (APSB17-24) published on August 8 regarding updates for Adobe Acrobat and Reader has been updated to reflect the availability of new updates as of August 29. The August 29 updates resolve a functional regression with XFA forms functionality … --------------------------------------------- https://blogs.adobe.com/psirt/?p=1484 ∗∗∗ DFN-CERT-2017-1525: Wireshark: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Wireshark können von einem entfernten, nicht authentisierten Angreifer für verschiedene Denial-of-Service (DoS)-Angriffe ausgenutzt werden. Die Ausnutzung der Schwachstellen erfordert die Verarbeitung speziell präparierter Datenpakete oder Packet-Trace-Dateien mit den Dissektoren für IrCOMM, Modbus, Profinet I/O oder MSDP. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1525/ ∗∗∗ DFN-CERT-2017-1523: Libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Eine Schwachstelle in Libgcrypt ermöglicht einem lokalen, einfach authentisierten Angreifer das Ausspähen privaten Schlüsselmaterials. Das GnuPG-Projekt hat die Schwachstelle in den Versionen 1.7.9 und 1.8.1 behoben. Der Quellcode dieser Versionen steht zum Herunterladen zur Verfügung. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1523/ ∗∗∗ Multiple vulnerabilities in RubyGems ∗∗∗ --------------------------------------------- The following vulnerabilities have been reported. * a DNS request hijacking vulnerability * an ANSI escape sequence vulnerability * a DoS vulernerability in the query command * a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files --------------------------------------------- https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-ru… ∗∗∗ Cisco unveils LabVIEW code execution flaw that won’t be patched ∗∗∗ --------------------------------------------- LabVIEW, the widely used system design and development platform developed by National Instruments, sports a memory corruption vulnerability that could lead to code execution. LabVIEW is commonly used for building data acquisition, instrument control, and industrial automation systems on a variety of operating systems: Windows, macOS, Linux and Unix. The vulnerability (CVE-2017-2779) The vulnerability was discovered by Cory Duplantis of Cisco Talos earlier this year, and reported to the company. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/30/labview-code-execution-flaw/ ∗∗∗ Abbott Laboratories’ Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 ∗∗∗ AzeoTech DAQFactory ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in The FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170830-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007392 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=swg22006695 ∗∗∗ IBM Security Bulletin: Vulnerabilities in httpd affect Power Hardware Management Console ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022175 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Power Hardware Management Console (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022178 ∗∗∗ IBM Security Bulletin: IBM Transformation Extender Advanced and IBM Standards Processing Engine are susceptible to a vulnerability in 10x (CVE-2017-1152) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004796 ∗∗∗ ImageMagick Heap Overflow in TracePoint() in Processing Files Lets Remote Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039246 ∗∗∗ SSA-535640 (Last Update 2017-08-30): Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640… ∗∗∗ SSA-771218 (Last Update 2017-08-30): Vulnerability in 7KM PAC Switched Ethernet PROFINET expansion module from the SENTRON portfolio ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-771218… ∗∗∗ SSA-087240 (Last Update 2017-08-30): Vulnerabilities in SIEMENS LOGO! ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-087240… ∗∗∗ HPESBGN03765 rev.2 - HPE LoadRunner and HPE Performance Center, Remote Disclosure of Information ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2017
by Daily end-of-shift report 29 Aug '17

29 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 28-08-2017 18:00 − Dienstag 29-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Metadata From IoT Traffic Exposes In-Home User Activity ∗∗∗ --------------------------------------------- Metadata from web traffic generated by smart devices installed in a home can reveal quite a lot of information about the owners habits and lifestyle. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/technology/metadata-from-iot-traffic-… ∗∗∗ "Die ganzen Kosten und Risiken trägt im Moment der Kunde" ∗∗∗ --------------------------------------------- Das absolut Mindeste muss sein, dass der Hersteller für alle Sicherheitslücken für den gesamten Nutzungszeitraum der Software Patches für Sicherheitslücken zur Verfügung stellen muss. Wenn es nach mir ginge, bekäme der Kunde eine Pauschale pro Arbeitsplatz und Tag ohne Patch ausgezahlt, und zwar nicht seit das Sicherheitsloch öffentlich bekannt wurde, sondern – wenn das vorher war – seit der Hersteller davon wusste. --------------------------------------------- https://www.eco.de/2017/news/die-ganzen-kosten-und-risiken-traegt-im-moment… ∗∗∗ Android und Windows: MTP-Bug lässt Dateien verschwinden ∗∗∗ --------------------------------------------- Vorsicht mit Android-Geräten, die per USB an einen PC mit Windows 10 angeschlossen sind: Bei harmlosen Aufräumarbeiten können Fotos und andere Dateien unwiderruflich verloren gehen. Betroffen sind fast alle Android-Geräte außer den neueren von Samsung. --------------------------------------------- https://heise.de/-3815535 ∗∗∗ Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet ∗∗∗ --------------------------------------------- A half dozen technology and security companies -- some of them competitors -- issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle WireX, an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more --------------------------------------------- https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-a… ∗∗∗ BSI-Studie zur Analyse des Linux-Zufallszahlengenerators wird fortgesetzt ∗∗∗ --------------------------------------------- Im Rahmen einer Langzeitstudie untersucht das Bundesamt für Sicherheit in der Informationstechnik (BSI) seit 2012 die kryptografische Eignung des Linux-Zufallszahlengenerators "/dev/random". Der aktuelle Untersuchungsbericht umfasst sowohl den aktuellen als auch alle vorigen Linux-Kernel und steht in englischer Sprache auf der BSI-Webseite zum Download zur Verfügung. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Studie_Linu… ===================== = Advisories = ===================== ∗∗∗ DSA-3958 fontforge - security update ∗∗∗ --------------------------------------------- It was discovered that FontForge, a font editor, did not correctlyvalidate its input. An attacker could use this flaw by tricking a userinto opening a maliciously crafted OpenType font file, thus causing adenial-of-service via application crash, or execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3958 ∗∗∗ DSA-3957 ffmpeg - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in FFmpeg, a multimediaplayer, server and encoder. These issues could lead to Denial-of-Serviceand, in some situation, the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3957 ∗∗∗ VU#403768: Akeo Consulting Rufus fails to update itself securely ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/403768 ∗∗∗ DFN-CERT-2017-1514: MISP: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1514/ ∗∗∗ DFN-CERT-2017-1512: OpenSSL: Eine Schwachstelle ermöglicht das Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1512/ ∗∗∗ DFN-CERT-2017-1515: Ghostscript: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1515/ ∗∗∗ DFN-CERT-2017-1517: SQLite: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1517/ ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170807-… ∗∗∗ Security Advisory - App Lock Bypass Vulnerability in Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170829-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025659 ∗∗∗ Pulse Connect Secure Access Control Flaw in diag.cgi Lets Remote Users Conduct Cross-Site Request Forgery Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039242 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2017
by Daily end-of-shift report 28 Aug '17

28 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-08-2017 18:00 − Montag 28-08-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ===================== = Advisories = ===================== ∗∗∗ Disabling Intel ME 11 via undocumented mode ∗∗∗ --------------------------------------------- .. researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. governments High Assurance Platform (HAP) program. --------------------------------------------- http://blog.ptsecurity.com/2017/08/disabling-intel-me.html ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017 /huawei-sa-20170807-01-smartphone-en ∗∗∗ IBM Security Bulletin: OpenSSL Security Advisory [22 Sep 2016 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010571 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sametime Community Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006228 ∗∗∗ IBM Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007242 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Sametime Web Player (CVE-2016-2980) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006447 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM Sametime Connect client (CVE-2016-0243, CVE-2016-2974) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006444 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco SAN switches and directors (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010566 ∗∗∗ IBM Security Bulletin: Various Security Vulnerabilities in IBM Sametime Proxy Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006441 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2017
by Daily end-of-shift report 25 Aug '17

25 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-08-2017 18:00 − Freitag 25-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability ∗∗∗ --------------------------------------------- Adam Donenfeld, a researcher with mobile security firm Zimperium, has published today proof-of-concept code for zIVA — a kernel exploit that affects iOS 10.3.1 and previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-releases-fully-wo… ∗∗∗ New EMPTY CryptoMix Ransomware Variant Released ∗∗∗ --------------------------------------------- Today, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .EMPTY extension to encrypted file names. Considering that the previous variant used ERROR as the previous extension and now uses EMPTY, it is clear that the developers are running out of extensions to use. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomwa… ∗∗∗ Mobile malware factories: Android apps for creating ransomware ∗∗∗ --------------------------------------------- Mobile ransomware can now be created automatically without the need to write code. Having little to no coding experience is no longer a problem for wannabe mobile malware authors, thanks to Trojan Development Kits (TDKs). Criminals can now install an app that will allow them to quickly and easily create Android ransomware with their own devices. --------------------------------------------- https://www.symantec.com/connect/blogs/mobile-malware-factories-android-app… ∗∗∗ Analysis of Ronggolawe Ransomware and How to Block It ∗∗∗ --------------------------------------------- ... Web server ransomware is not new. In fact we witnessed first evidence of it back at 2015 and most recently in the well-known attack aimed at the South Korean web hosting company NAYANA. Unfortunately, today ransomware targeted at web servers is even more popular especially given the availability of open source malware easily found in public repositories such as GitHub. Most recently we have seen reports of a new web server ransomware called Ronggolawe, the code name for AwesomeWare. --------------------------------------------- https://www.imperva.com/blog/2017/08/ronggolawe-ransomware-how-to-block-it/ ∗∗∗ The Adventure of the Final Intel AMT Problem ∗∗∗ --------------------------------------------- Its high time to learn how cunning cyber criminals can use Intel AMT powerful capabilities to achieve their malicious goals. See the captivating story of hacking Intel AMT with all its twists and turns and awe-inspiring details with your own eyes. The freshest and the hottest presentation “MythBusters: CVE-2017-5689 – How Intel AMT could be broken completely” from HITB 2017. --------------------------------------------- https://embedi.com/news/adventure-final-intel-amt-problem ∗∗∗ Sophos UTM: Update kümmert sich um alte und neue Sicherheitslücken ∗∗∗ --------------------------------------------- In der UTM von Sophos klaffen mehrere Schwachstellen. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://heise.de/-3812308 ∗∗∗ Android Oreo: Das sind die Sicherheits-Neuerungen bei Android 8.0 ∗∗∗ --------------------------------------------- Google härtet Android mit Google Play Protect, Schutzfunktionen für die System-UI, strikteren Regeln für nachgeladenen Code aus Drittquellen und erweiterter Isolierung von Browser-Prozessen. --------------------------------------------- https://heise.de/-3812341 ===================== = Advisories = ===================== ∗∗∗ ZDI-17-697: (0Day) Delta Industrial Automation WPLSoft dvp File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-697/ ∗∗∗ ESB-2017.2137 - [Appliance] WPLSoft, ISPSoft and PMSoft ∗∗∗ --------------------------------------------- This bulletin contains ten (10) Zero Day Initiative security advisories. --------------------------------------------- https://www.auscert.org.au/bulletins/51578/print ∗∗∗ Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01 ∗∗∗ Rockwell Automation Allen-Bradley Stratix and ArmoStratix ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-04 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007508 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2017
by Daily end-of-shift report 24 Aug '17

24 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-08-2017 18:00 − Donnerstag 24-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 90% of Companies Get Attacked with Three-Year-Old Vulnerabilities ∗∗∗ --------------------------------------------- A Fortinet report released this week highlights the importance of keeping secure systems up to date, or at least a few cycles off the main release, albeit this is not recommended, but better than leaving systems unpatched for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/90-percent-of-companies-get-… ∗∗∗ Whatsapp und Signal: Zerodium bietet 500.000 US-Dollar für Messenger-Exploits ∗∗∗ --------------------------------------------- Die staatliche Nachfrage nach Sicherheitslücken für die Quellen-TKÜ zeigt offenbar Wirkung. Schwachstellen in Whatsapp, Signal und anderen Messengern werden besser honoriert als Codeausführung in Windows. --------------------------------------------- https://www.golem.de/news/whatsapp-und-signal-zerodium-bietet-500-000-us-do… ∗∗∗ Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root ∗∗∗ --------------------------------------------- An insecure Apple authorization API is used by numerous popular third-party application installers and can be abused by attackers ro run code as root. --------------------------------------------- http://threatpost.com/deprecated-insecure-apple-authorization-api-can-be-ab… ∗∗∗ Decrypting NotPetya/Petya: Tools for Recovering Your MFT After an Attack ∗∗∗ --------------------------------------------- In this blog post, we are making our findings, and tools, for decrypting NotPetya/Petya available to the general public. With the aid of the supplied tools, almost all of the Master File Table (MFT) can be successfully recovered within minutes. --------------------------------------------- https://www.crowdstrike.com/blog/decrypting-notpetya-tools-for-recovering-y… ∗∗∗ Im giving up on HPKP ∗∗∗ --------------------------------------------- HTTP Public Key Pinning is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. Whilst HPKP can offer a lot of protection, it can also cause a lot of harm too. --------------------------------------------- https://scotthelme.co.uk/im-giving-up-on-hpkp/ ∗∗∗ Crystal Finance Millennium used to spread malware ∗∗∗ --------------------------------------------- [...] it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, well take a look at the malware variants that were distributed, and provide minimal background. --------------------------------------------- https://bartblaze.blogspot.de/2017/08/crystal-finance-millennium-used-to.ht… ∗∗∗ Malware über Facebook-Messenger im Umlauf, greift Windows und macOS an ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen aktuell vor einer Masche, mit der Facebook-Nutzer dazu verleitet werden sollen, trojanisierte Fake-Software zu installieren. --------------------------------------------- https://heise.de/-3811842 ∗∗∗ Kritische Sicherheitslücke in HPE iLo: "So schnell wie möglich handeln" ∗∗∗ --------------------------------------------- Die Management-Software Integrated Lights-out 4 (iLO 4) von HP-Proliant-Servern enthält eine Sicherheitslücke, über die Angreifer aus der Ferne Schadcode ausführen können, ohne sich anmelden zu müssen. --------------------------------------------- https://heise.de/-3811873 ===================== = Advisories = ===================== ∗∗∗ Cisco Meeting Server Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI command-parsing code of Cisco Meeting Server could allow an authenticated, local attacker to perform command injection and escalate their privileges to root. The attacker must first authenticate to the application with valid administrator credentials.The vulnerability is due to insufficient validation of user-supplied input at the CLI for certain commands. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1497/">Cacti: Zwei Schwachstellen ermöglichen Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1497/ ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK affects Sametime Community (CVE-2016-2183) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006212 ∗∗∗ IBM Security Bulletin: Vulnerability found in OpenSSL release used by Windows and z/OS Security Identity Adapters ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007428 ∗∗∗ IBM Security Bulletin: Various Security vulnerabilities in IBM Sametime Media Server (CVE-2016-2970, CVE-2016-0729, CVE-2016-4449) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006233 ∗∗∗ HPESBHF03769 rev.1 - HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2017
by Daily end-of-shift report 23 Aug '17

23 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-08-2017 18:00 − Mittwoch 23-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ROPEMAKER Lets Attackers Change Your Emails After Delivery ∗∗∗ --------------------------------------------- A new email attack scenario nicknamed ROPEMAKER allows a threat actor to change the content of emails received by targets via remote CSS files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ropemaker-lets-attackers-cha… ∗∗∗ Google Play Store Security Scans Tricked by ...Sigh... In-Dev Malware ∗∗∗ --------------------------------------------- Google has yet to remove two apps infected with dangerous malware that are currently still available for download via the official Google Play Store. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-play-store-security-s… ∗∗∗ Malicious script dropping an executable signed by Avast?, (Wed, Aug 23rd) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting sample that I started to analyze... It reached my spam trap attached to an email in Portuguese with the subject: "Venho por meio desta solicitar orçamento dos produtos” ("I hereby request the products budget”). --------------------------------------------- https://isc.sans.edu/diary/rss/22748 ∗∗∗ Apple iCloud Keychain easily slurped, ElcomSoft says ∗∗∗ --------------------------------------------- Credentials stored in the cloud succumb to forensic software ElcomSoft, the Russia-based maker of forensic software, has managed to find a way to access the data stored in Apples iCloud Keychain, if Apple ID account credentials are available. --------------------------------------------- http://www.theregister.co.uk/2017/08/22/apple_icloud_keychain_easily_slurpe… ∗∗∗ Is the Power Grid Getting More Vulnerable to Cyber Attacks? ∗∗∗ --------------------------------------------- Rising computerization opens doors for increasingly aggressive adversaries, but defenses are better than many might think. --------------------------------------------- https://www.scientificamerican.com/article/is-the-power-grid-getting-more-v… ∗∗∗ Ukrainian Security Firm Warns of Another Massive Global Cyberattack ∗∗∗ --------------------------------------------- A new wave of cyberattacks could be launched as soon as this week, Ukrainian security firm ISSP warns, pointing out that the main objective would be taking down networks on August 24 when Ukraine celebrates the Independence Day. --------------------------------------------- http://news.softpedia.com/news/ukrainian-security-firm-warns-massive-global… ∗∗∗ Google schmeißt 500 potenzielle Spionage-Apps aus App Store ∗∗∗ --------------------------------------------- Ein Software Development Kit für Werbeeinblendungen soll Schnüffelfunktionen mitbringen. Damit ausgestattete Android-Apps weisen über 100 Millionen Downloads auf, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-3810366 ∗∗∗ Hintergrund: Hardware-Fuzzing: Hintertüren und Fehler in CPUs aufspüren ∗∗∗ --------------------------------------------- Ein Prozessor-Fuzzer analysiert Hardware, der man normalerweise blind vertrauen muss. In ersten Testläufen wurde er bei nahezu allen Architekturen fündig und spürte etwa undokumentierte CPU-Befehle auf. Sandsifter ist kostenlos und frei verfügbar; der Autor hilft sogar bei der Analyse. --------------------------------------------- https://heise.de/-3809408 ===================== = Advisories = ===================== ∗∗∗ DSA-3952 libxml2 - security update ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an application using libxml2, would cause a denial-of-service againstthe application, information leaks, or potentially, the execution ofarbitrary code with the privileges of the user running the application. --------------------------------------------- https://www.debian.org/security/2017/dsa-3952 ∗∗∗ Automated Logic Corporation WebCTRL, i-VU, SiteScan ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-03 ∗∗∗ SpiderControl SCADA MicroBrowser ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-02 ∗∗∗ Security Advisory - Two Command Injection Vulnerabilities in The FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170823-… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by a Network Security Services (NSS) vulnerability (CVE-2017-5461) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005055 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007464 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSource NTP affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002233 ∗∗∗ Multiple GNU Binutils vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23729200 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2017
by Daily end-of-shift report 22 Aug '17

22 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 21-08-2017 18:00 − Dienstag 22-08-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gestohlene Nacktfotos von Ski-Star Lindsey Vonn im Netz ∗∗∗ --------------------------------------------- Unbekannte haben das Handy von US-Skistar Lindsey Vonn (32) geknackt und Nacktfotos von ihr und ihrem Ex-Freund Tiger Woods (41) gestohlen. --------------------------------------------- https://futurezone.at/digital-life/gestohlene-nacktfotos-von-ski-star-linds… ∗∗∗ Unsichere Passwörter: Angriffe auf Microsoft-Konten um 300 Prozent gestiegen ∗∗∗ --------------------------------------------- Noch immer haben viele Nutzer schlechte Passwörter und benutzen diese gleich für mehrere Accounts. Das geht aus Microsofts eigener Sicherheitsanalyse hervor, die Trends aus dem Enterprise- und Privatkundengeschäft präsentiert. --------------------------------------------- https://www.golem.de/news/unsichere-passwoerter-angriffe-auf-microsoft-kont… ∗∗∗ Enigma ICO Heist Robs Nearly $500,000 in Ethereum From Investors ∗∗∗ --------------------------------------------- Cryptos fine and good, but make sure youre looking after the basics. --------------------------------------------- https://www.wired.com/story/enigma-ico-ethereum-heist ∗∗∗ Who’s Blocked by Bad Guys? ∗∗∗ --------------------------------------------- Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, .. --------------------------------------------- https://blog.rootshell.be/2017/08/21/whos-blocked-bad-guys/ ∗∗∗ Erpressungstrojaner WannaCry hat erneut zugeschlagen ∗∗∗ --------------------------------------------- Offenbar hat LG bei einigen Service-Systemen wichtige Sicherheitspatches nicht installiert und WannaCry infizierte diverse Computer des Unternehmens in Südkorea. Dabei soll es aber zu keinen größeren Schäden gekommen sein. --------------------------------------------- https://heise.de/-3809790 ∗∗∗ Kriminelle stehlen Telefonnummern von Bitcoin-Investoren ∗∗∗ --------------------------------------------- Bitten Mobilfunker um Transfer der Nummer auf neues Gerät – oft Verluste in Millionenhöhe --------------------------------------------- http://derstandard.at/2000062971633 ∗∗∗ Hacker drohen, "Game of Thrones"-Finale vorab online zu stellen ∗∗∗ --------------------------------------------- HBO hat sich bislang geweigert, Lösegeld zu bezahlen – zwei von sechs Folgen waren früher ins Netz gelangt --------------------------------------------- http://derstandard.at/2000062960237 ∗∗∗ Betrug: Mobilfunkbetreiber warnen vor "Ping Calls" ∗∗∗ --------------------------------------------- Hinter unbekannter Nummer auf dem Handydisplay steckt manchmal ein Betrüger --------------------------------------------- http://derstandard.at/2000062990431 ===================== = Advisories = ===================== ∗∗∗ Sicherheitsupdate: Thunderbird updaten und sicher konfigurieren ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Mozilla Thunderbird ermöglichen einem entfernten, nicht authentisierten Angreifer das Ausführen beliebigen Programmcodes, das Umgehen von Sicherheitsvorkehrungen, die Darstellung falscher Informationen und verschiedener Denial-of-Service (DoS)-Angriffe. --------------------------------------------- https://www.kuketz-blog.de/sicherheitsupdate-thunderbird-updaten-und-sicher… ∗∗∗ DSA-3949 augeas - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3949 ∗∗∗ Multiple vulnerabilities in Progress Sitefinity ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2017
by Daily end-of-shift report 21 Aug '17

21 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-08-2017 18:00 − Montag 21-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Win $100,000 for New Spear-Phishing Detection Method ∗∗∗ --------------------------------------------- Facebook has awarded this years Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-win-100-000-for-… ∗∗∗ Wie Hacker große Frachtschiffe ins Visier nehmen ∗∗∗ --------------------------------------------- Mithilfe von Malware können Handelsschiffe lahmgelegt und manövrierunfähig gemacht werden. Kriminelle könnten sogar die Kollision zweier Schiffe herbeiführen. --------------------------------------------- https://futurezone.at/digital-life/wie-hacker-grosse-frachtschiffe-ins-visi… ∗∗∗ Personal Security Guide – iOS/Android ∗∗∗ --------------------------------------------- We’ve covered a lot of personal security practices, but many people forget how important it is to secure mobile devices, which are riddled with personal information. --------------------------------------------- https://blog.sucuri.net/2017/08/personal-security-guide-iosandroid.html ∗∗∗ Warning: Enigma Hacked; Over $470,000 in Ethereum Stolen So Far ∗∗∗ --------------------------------------------- More Ethereum Stolen! An unknown hacker has so far stolen more than $471,000 worth of Ethereum—one of the most popular and increasingly valuable cryptocurrencies—in yet another Ethereum hack that hit the popular cryptocurrency investment platform, Enigma. --------------------------------------------- http://thehackernews.com/2017/08/enigma-cryptocurrency-hack.html ∗∗∗ DNSSEC Key Signing Key Rollover ∗∗∗ --------------------------------------------- On October 11, 2017, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the domain name system (DNS) Security Extensions (DNSSEC) protocol. DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to updating a PKI Root Certificate. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/08/21/DNSSEC-Key-Signing… ∗∗∗ Zero-Day-Lücken im PDF Reader: Foxit will doch patchen ∗∗∗ --------------------------------------------- Ursprünglich wollte Foxit die zwei Lücken, die Angreifern unter bestimmten Umständen die lokale Codeausführung ermöglichen, nicht schließen. Mittlerweile hat sich der Hersteller aber anders entschieden. --------------------------------------------- https://heise.de/-3807762 ∗∗∗ SyncCrypt: Neue Ransomware lauert in JPG-Dateien ∗∗∗ --------------------------------------------- Um AV-Software auszutricksen, verbirgt sich die Ransomware SyncCrypt in Bilddateien. Einmal auf dem System, wird sie per Skript extrahiert und ausgeführt. Kostenlose Entschlüsselungs-Tools gibt es bislang nicht. --------------------------------------------- https://heise.de/-3808437 ∗∗∗ Blowing the Whistle on Bad Attribution ∗∗∗ --------------------------------------------- The New York Times this week published a fascinating story about a young programmer in Ukraine whod turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. Its a good read, as long as you can ignore that the premise of the piece is completely wrong. --------------------------------------------- https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-bad-attribution/ ∗∗∗ Hacker übernahmen Facebook- und Twitter-Account von Playstation ∗∗∗ --------------------------------------------- Die Hackergruppe OurMine setzte mit den Social-Media-Profilen diverse Tweets und Facebook-Posts ab --------------------------------------------- http://derstandard.at/2000062906632 ===================== = Advisories = ===================== ∗∗∗ USN-3397-1: strongSwan vulnerability ∗∗∗ --------------------------------------------- A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTSSummarystrongSwan could be made to crash or hang if it received specially craftednetwork traffic. --------------------------------------------- http://www.ubuntu.com/usn/usn-3397-1/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 affect IBM Flex System Manager(FSM) Storage Manager Install Anywhere (SMIA) configuration tool ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025471 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect ASP.NET Core in IBM Bluemix ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007209 ∗∗∗ IBM Security Bulletin: No verification of user rights for certain applications on MaaS360 Windows installations. (CVE-2017-1422). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006985 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006808 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005299 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-1000381 and CVE-2017-11499 in Node.js affects IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022230 ∗∗∗ IBM Security Bulletin: January 2016 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010526 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2017
by Daily end-of-shift report 18 Aug '17

18 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-08-2017 18:00 − Freitag 18-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Betrug: Verbraucherzentrale warnt vor gefälschten Youporn-Mahnungen ∗∗∗ --------------------------------------------- Eine Spam-Kampagne versendet derzeit angebliche Mahnungen für die Nutzung von Youporn im Namen einer Münchener Anwaltskanzlei. Diese warnt selbst vor den Fälschungen. --------------------------------------------- https://www.golem.de/news/betrug-verbraucherzentrale-warnt-vor-gefaelschten… ∗∗∗ OWASP 2017 Top 10 vs. 2013 Top 10 ∗∗∗ --------------------------------------------- After a long interval of four years, OWASP in April 2017 released a draft of its latest list of "Top 10 Web Application Security Vulnerabilities." The OWASP Top 10 has served as a benchmark for the world of application security for the last 14 years. It was designed to allow developers to identify and avoid [...] --------------------------------------------- http://resources.infosecinstitute.com/owasp-2017-top-10-vs-2013-top-10/ ∗∗∗ Hacker Publishes iOS Secure Enclave Firmware Decryption Key ∗∗∗ --------------------------------------------- A hacker identified only as xerub published the decryption key unlocking the iOS Secure Enclave Processor. --------------------------------------------- http://threatpost.com/hacker-publishes-ios-secure-enclave-firmware-decrypti… ∗∗∗ Cisco schließt einen Haufen Sicherheitslücken ∗∗∗ --------------------------------------------- Cisco hat 19 Sicherheitslücken in verschiedensten Produkten mit Sicherheitsupdates geschlossen. Drei der Updates sind mit hoher Priorität eingestuft. --------------------------------------------- https://heise.de/-3807549 ∗∗∗ Gefälschte A1-Rechnung installiert Schadsoftware ∗∗∗ --------------------------------------------- Eine gefälschte A1-Nachricht fordert Empfänger/innen dazu auf, dass sie eine Website aufrufen und sich auf dieser ihre Rechnung ansehen. Wer dem nachkommt, lädt die Datei „quittung.lnk“ herunter. Bei dieser handelt es sich um keine Kostenaufstellung, sondern um eine Verknüpfung zu einer Schadsoftware. Aus diesem Grund dürfen Sie die Verknüpfung nicht öffnen. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-rec… ===================== = Advisories = ===================== ∗∗∗ Philips DoseWise Portal Vulnerabilities ∗∗∗ --------------------------------------------- This medical device advisory contains mitigation details for hard-coded credentials and cleartext storage of sensitive information vulnerabilities in Philips’ DoseWise Portal web application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01 ∗∗∗ ZDI-17-693: Bitdefender Total Security bdfwfpf Kernel Driver Double Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Bitdefender Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-693/ ∗∗∗ DFN-CERT-2017-1469: ClamAV: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1469/ ∗∗∗ DFN-CERT-2017-1476: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1476/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007056 ∗∗∗ Splunk Input Validation Flaws in Web Interface Let Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2017
by Daily end-of-shift report 17 Aug '17

17 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-08-2017 18:00 − Donnerstag 17-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Banking Trojans Set Their Sights on Taxi and Ride-Hailing Apps ∗∗∗ --------------------------------------------- It was to be expected that Android banking trojan operators would eventually set their sights on ride-hailing applications, considering that these apps work with a users financial data on a daily basis. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-trojans-set-their-si… ∗∗∗ Ransomware: Locky kehrt erneut zurück ∗∗∗ --------------------------------------------- Mit Locky kehrt eine bekannte Ransomware nach mehrmonatiger Abwesenheit zurück - mit den Dateiendungen Diablo6 und Lukitus. Immer wieder tauchen neue Versionen auf, die vermutlich von Kriminellen für erpresserische Zwecke gemietet werden. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/ransomware-locky-kehrt-erneut-zurueck-1708-129539… ∗∗∗ NotPetya: Maersk erwartet bis zu 300 Millionen Dollar Verlust ∗∗∗ --------------------------------------------- Containerterminals standen still, Schiffe konnten weder gelöscht noch beladen werden: Mehrere Wochen hielt der Trojaner den dänischen Mega-Konzern Maersk in Atem. Die Reederei Maersk Line und der Hafenbetreiber APM Terminals wurden schwer getroffen. --------------------------------------------- https://heise.de/-3804688 ∗∗∗ Handy-Ersatzteile können Malware einschleusen ∗∗∗ --------------------------------------------- Über Ersatzteile könnten Angreifer unbemerkt Malware in Smartphones schmuggeln. Erkennungsmethoden oder gar Abwehrmaßnahmen gibt es bislang keine, warnen israelische Sicherheitsforscher. --------------------------------------------- https://heise.de/-3804758 ∗∗∗ Sicherheitsupdates: Angreifer könnten Drupal-Webseiten ein bisschen umbauen ∗∗∗ --------------------------------------------- Nutzer von Drupal sollten zügig die aktuellen Versionen installieren. In diesen haben die Entwickler mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-3805042 ∗∗∗ iMessage: Neuer Betrugsversuch macht die Runde ∗∗∗ --------------------------------------------- Aktuell erreichen Nutzer Nachrichten mit Links, die sie zur Eingabe persönlicher Daten nötigen. Sie stammen angeblich von Apple. --------------------------------------------- https://heise.de/-3804878 ===================== = Advisories = ===================== ∗∗∗ DSA-3944 mariadb-10.0 - security update ∗∗∗ --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.32. Please see the MariaDB 10.0 Release Notes for furtherdetails: --------------------------------------------- https://www.debian.org/security/2017/dsa-3944 ∗∗∗ Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004 ∗∗∗ --------------------------------------------- Drupal 8.3.7 is a maintenance releases which contain fixes for security vulnerabilities.Download Drupal 8.3.7Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. --------------------------------------------- https://www.drupal.org/SA-CORE-2017-004 ∗∗∗ Filr 3.2.1 Update ∗∗∗ --------------------------------------------- Abstract: This update provides a number of general bug fixes for Micro Focus Filr, Search and MySQL appliances including an updated Filr 3.2.1 Desktop client. --------------------------------------------- https://download.novell.com/Download?buildid=zZ3A-xIEvO0~ ∗∗∗ VU#793496: Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/793496 ∗∗∗ Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902596 ∗∗∗ Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902606 ∗∗∗ Views - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902604 ∗∗∗ Cisco Application Policy Infrastructure Controller SSH Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco TelePresence Video Communication Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Services Platform Deployment Configuration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Services Framework AutoVNF Configuration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Horizontal Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers FTP Configuration File Modification Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers Command-Line Interface Security Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Sensitive Log Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Configuration Parameters Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Configuration Files Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Virtual Network Function Element Manager Arbitrary Command Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Security Appliances SNMP Polling Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco RV340, RV345, and RV345P Dual WAN Gigabit VPN Routers Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Policy Suite Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure HTML Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco AnyConnect WebLaunch Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Application Policy Infrastructure Controller Custom Binary Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities in Apache FOP and Apache Batik affect IBM WebSphere Portal (CVE-2017-5661, CVE-2017-5662) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006871 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2017
by Daily end-of-shift report 16 Aug '17

16 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 14-08-2017 18:00 − Mittwoch 16-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Millions of RDP Endpoints Exposed Online and Ready for Bad Things ∗∗∗ --------------------------------------------- An Internet-wide scan carried out by security researchers from Rapid7 has discovered over 11 million devices with 3389/TCP ports left open online, of which over 4.1 million are specifically speaking the RDP protocol. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/millions-of-rdp-endpoints-ex… ∗∗∗ Pulse Wave - New DDoS Assault Pattern Discovered ∗∗∗ --------------------------------------------- A new method of carrying out DDoS attacks named Pulse Wave is causing problems to certain DDoS mitigation solutions, allowing attackers to down servers previously thought to be secured. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-wave-new-ddos-assault-… ∗∗∗ Attackers Backdoor Another Software Update Mechanism ∗∗∗ --------------------------------------------- Researchers at Kaspersky Lab said today that the update mechanism for Korean server management software provider NetSarang was compromised and serving a backdoor called ShadowPad. --------------------------------------------- http://threatpost.com/attackers-backdoor-another-software-update-mechanism/… ∗∗∗ Analysis of a Paypal phishing kit, (Wed, Aug 16th) ∗∗∗ --------------------------------------------- They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal arenice targets and we can find new fake pages almost daily. Sometimes, the web server isnt properly configured and the source code is publicly available. A few days ago, I was lucky to find a ZIP archivecontaining a very nice phishing kit targeting Paypal. I took some time to have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/22726 ∗∗∗ Security Afterworks Spezial – DSGVO – Impulsvorträge und Diskussion ∗∗∗ --------------------------------------------- October 03, 2017 - 4:30 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-dsgvo/ ∗∗∗ Decoding Complex Malware – Step-by-Step ∗∗∗ --------------------------------------------- When cleaning websites, one of the most complicated parts of our job is ensuring we find all backdoors. Most of the time, attackers inject code into different locations to increase the chances of reinfecting the site and maintaining access for as long as possible. Our research finds that in 67% of the websites we clean, there is at least one backdoor variant. --------------------------------------------- https://blog.sucuri.net/2017/08/malware-decoding-step-step-guide.html ∗∗∗ The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard ∗∗∗ --------------------------------------------- In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times. One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. This hack and those that have come before it have mostly been reliant on specific vulnerabilities in specific makes and/or brands of cars. And once reported, these vulnerabilities were quickly resolved. But what should the security [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/SJgibQgcZtQ/ ∗∗∗ ShadowPad: Spionage-Hintertür in Admintools für Unix- und Linux-Server aufgedeckt ∗∗∗ --------------------------------------------- Eine raffinierte Hintertür wurde von Angreifern per korrekt signiertem Update an die Netzwerk-Admin-Tools der koreanischen Firma NetSarang ausgeliefert. Es dauerte mehr als zwei Wochen, bis der Spionage-Trojaner im Netz eines Bankinstitutes aufflog. --------------------------------------------- https://heise.de/-3803225 ∗∗∗ EV ransomware is targeting WordPress sites ∗∗∗ --------------------------------------------- WordPress security outfit Wordfence has flagged several attempts by attackers to upload ransomware that provides them with the ability to encrypt a WordPress website’s files. They dubbed the malware "EV ransomware", due to the .ev extension that is added to the encrypted files. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/16/wordpress-ransomware/ ===================== = Advisories = ===================== ∗∗∗ BMC Medical and 3B Medical Luna CPAP Machine ∗∗∗ --------------------------------------------- This medical device advisory contains mitigation details for an improper input validation vulnerability in BMC Medical’s and 3B Medical’s Luna continuous positive airway pressure therapy machine. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-227-01 ∗∗∗ Identity Reporting 5.5.1 ∗∗∗ --------------------------------------------- Abstract: This service pack provides enhancements and software fixes for Identity Reporting. For more information about these updates, see the service pack details. --------------------------------------------- https://download.novell.com/Download?buildid=iGYyq6xwjhE~ ∗∗∗ Citrix XenServer Multiple Security Updates ∗∗∗ --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise the host. --------------------------------------------- https://support.citrix.com/article/CTX225941 ∗∗∗ DFN-CERT-2017-1441: Xen: Mehrere Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1441/ ∗∗∗ DFN-CERT-2017-1442: Red Hat JBoss Data Virtualization: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1442/ ∗∗∗ Security Advisory - Out-of-Bounds Memory Access Vulnerability in the Boot Loaders of Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170807-… ∗∗∗ Security Advisory - Arbitrary Memory Write Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Huawei Honor 5S Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Integer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Lack of Signature Verification Vulnerability in Some Huawei APP ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™ in IBM Bluemix ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006722 ∗∗∗ IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting (CVE-2017-1338) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004138 ∗∗∗ IBM Security Bulletin:Security Vulnerability in IBM Java SDK for Quarterly CPU – April 2017 affect IBM Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2017-3511) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007149 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect Watson Explorer (CVE-2016-8688, CVE-2016-8689, CVE-2017-5601, CVE-2016-10209, CVE-2016-10350, CVE-2016-10349) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006995 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK Java™ Technology Edition Version 6, 7, 8 and IBM® Runtime Environment Java™ Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21998551 ∗∗∗ IBM Security Bulletin: Potential security vulnerability in the WebSphere Application Server Admin Console (CVE-2017-1501) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006810 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager is affected by an OpenSSL vulnerability (CVE-2016-8610) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007023 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager appliances are affected by multiple Network Time Protocol (NTP) vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007067 ∗∗∗ SSA-275839 (Last Update 2017-08-16): Denial-of-Service Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… ∗∗∗ SSA-293562 (Last Update 2017-08-16): Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2017
by Daily end-of-shift report 14 Aug '17

14 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-08-2017 18:00 − Montag 14-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forscher hacken Computer mit manipulierter DNA ∗∗∗ --------------------------------------------- Auch DNA ist nicht vor Schadsoftware sicher: Forscher der University of Washington konnten einen Computer mithilfe von manipulierter DNA übernehmen. --------------------------------------------- https://futurezone.at/digital-life/forscher-hacken-computer-mit-manipuliert… ∗∗∗ Remotelock LS-6i: Firmware-Update zerstört smarte Türschlösser dauerhaft ∗∗∗ --------------------------------------------- Ein Hersteller smarter Türschlösser hat mindestens 500 Geräte von Kunden durch ein falsches Firmwareupdate dauerhaft zerstört. Betroffen sind vor allem viele Airbnb-Vermieter, ein Austauschprogramm ist gestartet. --------------------------------------------- https://www.golem.de/news/remotelock-ls-6i-firmware-update-zerstoert-smarte… ∗∗∗ Sonic Spy: Forscher finden über 4.000 spionierende Android-Apps ∗∗∗ --------------------------------------------- Ein einziger Anbieter soll seit Jahresanfang rund 4.000 Apps mit bösartigem Inhalt in Umlauf gebracht haben - einige davon auch über Google Play. Die Apps können das Mikrofon aktivieren und Telefonate mitschneiden. --------------------------------------------- https://www.golem.de/news/sonic-spy-forscher-finden-ueber-4000-spionierende… ∗∗∗ Many Factors Conspire in ICS/SCADA Attacks ∗∗∗ --------------------------------------------- A report on the state of SCADA and ICS security points out that critical infrastructure operators are caught between hackers and a lack of vendor and executive support. --------------------------------------------- http://threatpost.com/many-factors-conspire-in-icsscada-attacks/127407/ ∗∗∗ Outlook Web Access based attacks, (Sat, Aug 12th) ∗∗∗ --------------------------------------------- Recently weve started seeing some attacks that utlise OWA. A person in the victim organisation sends an email to one or more of their customers informing them of change in account details. The attacker provides instructions to customers on paying their account utilising the new account details. The email is cced to other internal staff adding a level of legitimacy (also compromised accounts). --------------------------------------------- https://isc.sans.edu/diary/rss/22710 ∗∗∗ A new issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Family business: Petya and its derivatives sweep over half the world as a new wave of ransomware Pay a ransom [...] --------------------------------------------- https://securityblog.switch.ch/2017/08/14/a-new-issue-of-our-switch-securit… ∗∗∗ Sicherheitsupdate: Symantecs Messaging Gateway ist für Schadcode empfänglich ∗∗∗ --------------------------------------------- Mit der aktuellen Version haben die Entwickler zwei Sicherheitslücken in der Schutzlösung geschlossen. --------------------------------------------- https://heise.de/-3799171 ∗∗∗ Datenbank-Server PostgreSQL: Lücke lässt Anmeldung ohne Passwort zu ∗∗∗ --------------------------------------------- Administratoren, die PostgreSQL-Datenbanken betreiben, sollten ihre Software updaten. Unter bestimmten Umständen können sich Angreifer an den Servern ohne Eingabe eines Passwortes anmelden, warnen die Entwickler. --------------------------------------------- https://heise.de/-3799721 ===================== = Advisories = ===================== ∗∗∗ DSA-3937 zabbix - security update ∗∗∗ --------------------------------------------- Lilith Wyatt discovered two vulnerabilities in the Zabbix networkmonitoring system which may result in execution of arbitrary code ordatabase writes by malicious proxies. --------------------------------------------- https://www.debian.org/security/2017/dsa-3937 ∗∗∗ HPESBHF03768 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- Potential security vulnerabilities have been identified in HPE Intelligent Management Center (iMC) Plat. These vulnerabilities could be exploited remotely to allow remote code execution. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037… ∗∗∗ VMSA-2017-0014 ∗∗∗ --------------------------------------------- VMware NSX-V Edge updates address OSPF Protocol LSA DoS --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0014.html ∗∗∗ DSA-3936 postgresql-9.6 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3936 ∗∗∗ DSA-3935 postgresql-9.4 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3935 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010501 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005160 ∗∗∗ IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-9461) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010376 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a Network Security Services (NSS) vulnerability (CVE-2017-5461) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006960 Next End-of-Day Report: 2017-08-16 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2017
by Daily end-of-shift report 11 Aug '17

11 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-08-2017 18:00 − Freitag 11-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ Git und Co: Bösartige Code-Repositories können Client angreifen ∗∗∗ --------------------------------------------- Mittels spezieller SSH-URLs kann ein Angreifer Code in den Client-Tools von Quellcode-Verwaltungssystemen ausführen. Der Fehler betrifft praktisch alle verbreiteten Quellcode-Verwaltungssysteme wie Git, Subversion, Mercurial und CVS. --------------------------------------------- https://www.golem.de/news /git-und-co-boesartige-code-repositories-koennen-client-angreifen-17 08-129441.html ∗∗∗ Ukrainian Video-Blogger Arrested For Spreading Petya (NotPetya) Ransomware ∗∗∗ --------------------------------------------- Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware (Petya.A, also known as NotPetya) — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine .. --------------------------------------------- https://thehackernews.com/2017/08/ukraine-petya-ransomware-hacker.html ∗∗∗ Russias Fancy Bear Hackers Used Leaked NSA Tool Eternal Blue" to Target Hotel Guests ∗∗∗ --------------------------------------------- The same hackers who hit the DNC and the Clinton campaign are now apparently spying on high-value travelers via Wi-Fi --------------------------------------------- https://www.wired.com/story/fancy-bear-hotel-hack ∗∗∗ Sichere Passwörter: Viele der herkömmlichen Sicherheitsregeln bringen nichts ∗∗∗ --------------------------------------------- Passwörter brauchen Sonderzeichen, Groß- und Kleinschreibung, Zahlen und müssen oft geändert werden – viele dieser Regeln erhöhen die Sicherheit nicht, sondern bewirken oft das Gegenteil. Der Urheber dieser Regeln bereut sie mittlerweile. --------------------------------------------- https://heise.de/-3797935 ∗∗∗ "Game of Thrones": HBO wollte Hackern 250.000 Dollar Lösegeld zahlen ∗∗∗ --------------------------------------------- Offenbar nur Hinhaltetaktik – Kriminelle: Versprechen wurden gebrochen --------------------------------------------- http://derstandard.at/2000062546236 ∗∗∗ Schüler deckt Google-Lücke auf, streicht 10.000 Dollar ein ∗∗∗ --------------------------------------------- Bug Bounty-Programm verschafft Schüler aus Uruguay unerwarteten Geldsegen --------------------------------------------- http://derstandard.at/2000062559352 ===================== = Advisories = ===================== ∗∗∗ DSA-3929 libsoup2.4 - security update ∗∗∗ --------------------------------------------- Aleksandar Nikolic of Cisco Talos discovered a stack-based bufferoverflow vulnerability in libsoup2.4, a HTTP library implementation inC. A remote attacker can take advantage of this flaw by sending aspecially crafted HTTP request to cause an application using .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3929 ∗∗∗ DSA-3934 git - security update ∗∗∗ --------------------------------------------- Joern Schneeweisz discovered that git, a distributed revision controlsystem, did not correctly handle maliciously constructed ssh://URLs. This allowed an attacker to run .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3934 ∗∗∗ SIMPlight SCADA Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-01 ∗∗∗ Solar Controls Heating Control Downloader (HCDownloader) ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-02 ∗∗∗ Solar Controls WATTConfig M Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-03 ∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-04 ∗∗∗ Symantec Messaging Gateway RCE and CSRF ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates /detail.jsp?fid=security_advisory&pvid=security_advisory&year=2017&s uid=20170810_00 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2017
by Daily end-of-shift report 10 Aug '17

10 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-08-2017 18:00 − Donnerstag 10-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ IT-Branche: "Sicherheitspaket" gefährdet Cybersicherheit ∗∗∗ --------------------------------------------- In einem offenen Brief warnen Vertreter der österreichischen IT-Branche vor Gefahren für die Cybersicherheit durch das von der ÖVP geplante „Sicherheitspaket“. --------------------------------------------- https://futurezone.at/netzpolitik/it-branche-sicherheitspaket-gefaehrdet-cy… ∗∗∗ Mystery Company Offers $250,000 Bounty for VM Escape Vulnerabilities ∗∗∗ --------------------------------------------- An unnamed firm is paying up to $250,000 for vulnerabilities related to its virtualization platform. --------------------------------------------- http://threatpost.com/mystery-company-offers-250000-bounty-for-vm-escape-vu… ∗∗∗ SAP Patch Tuesday Update Resolves 19 Flaws, Three High Severity ∗∗∗ --------------------------------------------- SAP released 19 patches on Tuesday, including a trio of vulnerabilities marked high severity in its business management software. --------------------------------------------- http://threatpost.com/sap-patch-tuesday-update-resolves-19-flaws-three-high… ∗∗∗ Salesforce sacks two top security engineers for their DEF CON talk ∗∗∗ --------------------------------------------- Revealing penetration-testing tool sealed staffers fate Salesforce fired two of its senior security engineers after they revealed details of an internal tool for testing IT defenses at DEF CON last month.… --------------------------------------------- www.theregister.co.uk/2017/08/10/salesforce_fires_its_senior_security_engin… ∗∗∗ Bundeskriminalamt (BK) warnt österreichische Unternehmen vor CEO-Betrug ∗∗∗ --------------------------------------------- http://www.bmi.gv.at/cms/bk/_news/start.aspx?id=534C4362372B557557664D3D&pa… ∗∗∗ The Shadow Brokers Have Made Almost $90,000 Selling Hacking Tools by Subscription, Researcher Says ∗∗∗ --------------------------------------------- An anonymous researcher has been able to identify the email address of people who have subscribed to the monthly dump service by the mysterious hacking group. --------------------------------------------- https://motherboard.vice.com/en_us/article/neejqw/the-shadow-brokers-have-m… ∗∗∗ Alleged vDOS Operators Arrested, Charged ∗∗∗ --------------------------------------------- Two young Israeli men alleged by this author to have co-founded vDOS -- until recently the largest and most profitable cyber attack-for-hire service online -- were arrested and formally indicted this week in Israel on conspiracy and hacking charges. --------------------------------------------- https://krebsonsecurity.com/2017/08/alleged-vdos-operators-arrested-charged/ ===================== = Advisories = ===================== ∗∗∗ Session Cache API - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2900951 ∗∗∗ Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2900966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2017
by Daily end-of-shift report 09 Aug '17

09 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-08-2017 18:00 − Mittwoch 09-08-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read ∗∗∗ --------------------------------------------- For the past couple of months I’ve been presenting my “Introduction to Windows Logical Privilege Escalation Workshop” at a few conferences. The restriction of a 2 hour slot fails to do the topic justice and some interesting tips and tricks I would like to present have to be cut out. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-a… ∗∗∗ Engineering Firm Leaks Sensitive Data on Dell, SBC and Oracle ∗∗∗ --------------------------------------------- Power Quality Engineering publicly exposed sensitive electrical infrastructure data on the public internet tied to Dell Technologies, SBC, Freescale, Oracle, Texas Instruments and the City of Austin. --------------------------------------------- http://threatpost.com/engineering-firm-leaks-sensitive-data-on-dell-sbc-and… ∗∗∗ WTF is Mughthesec!? poking on a piece of undetected adware ∗∗∗ --------------------------------------------- Some undetected adware named "Mughthesec" is infecting Macs...lets check it out! --------------------------------------------- https://objective-see.com/blog/blog_0x20.html ∗∗∗ How are people fooled by this? Email to sign a contract provides malware instead. ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/22696 ∗∗∗ Security Afterworks – Best of Summer of Security Conferences ∗∗∗ --------------------------------------------- September 14, 2017 - 4:30 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-best-of-summer-of-s… ∗∗∗ Chip Off the Old EMV ∗∗∗ --------------------------------------------- Recently, Jason Knowles of ABC 7s I-Team asked us, "What is the security risk if your EMV chip falls off your credit card? What could someone do with that?" --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Chip-Off-the-Old-EMV/ ∗∗∗ Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev ∗∗∗ --------------------------------------------- WannaCry ransomware killer due in court August 14 British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/08/marcus_hutc… ∗∗∗ FBIs spyware-laden video claims another scalp: Alleged sextortionist charged ∗∗∗ --------------------------------------------- Feds NIT punches through Tor anonymity shield The FBI’s preferred tool for unmasking Tor users has brought about another arrest: a suspected sextortionist who allegedly tricked young girls into sharing nude pics of themselves and then blackmailed his victims. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/09/fbis_spywar… ∗∗∗ Critical Security Fixes from Adobe, Microsoft ∗∗∗ --------------------------------------------- Adobe has released updates to fix at least 67 vulnerabilities in its Acrobat, Reader and Flash Player software. Separately, Microsoft today issued patches to plug 48 security holes in Windows and other Microsoft products. If you use Windows or Adobe products, its time once again to get your patches on. More than two dozen of the vulnerabilities fixed in todays Windows patch bundle address "critical" .. --------------------------------------------- https://krebsonsecurity.com/2017/08/critical-security-fixes-from-adobe-micr… ∗∗∗ Sonderzeichen, Ziffern und Co: Erfinder bereut Passwort-Regeln ∗∗∗ --------------------------------------------- 2003 entwarf Bill Burr für US-Behörden Passwortregeln, die sich bald global durchsetzten – und heute als unsicher gelten --------------------------------------------- http://derstandard.at/2000062463061 ===================== = Advisories = ===================== ∗∗∗ OSIsoft PI Integrator ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cross-site scripting and improper authorization vulnerabilities in OSIsoft’s PI Integrator for SAP HANA 2016, PI Integrator for Business Analytics 2016 - Data Warehouse, PI Integrator for Business Analytics 2016 - Business Intelligence, PI Integrator for Business Analytics and SAP HANA SQL Utility 2016, and PI Integrator for Microsoft Azure 2016. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-220-01 ∗∗∗ Moxa SoftNVR-IA Live Viewer ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in Moxa’s SoftNVR-IA Live Viewer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02 ∗∗∗ FortiOS IKE VendorID version information disclosure ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-073 ∗∗∗ FortiWeb SNMPv3 user password viewable in HTML source code ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-162 ∗∗∗ Sicherheitslücken in mehreren Jenkins-Plugins ∗∗∗ --------------------------------------------- https://heise.de/-3796342 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2017
by Daily end-of-shift report 08 Aug '17

08 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 07-08-2017 18:00 − Dienstag 08-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ Hotspot Shield: VPN-Provider soll Nutzer per Javascript ausspionieren ∗∗∗ --------------------------------------------- Der VPN-Provider Hotspot soll seine Nutzer durch Javascript-Elemente und Werbung ausspionieren - obwohl er genau das Gegenteil behauptet. Das wirft eine US-Bürgerrechtsorganisation dem Unternehmen vor und hat Beschwerde bei der FTC eingereicht. --------------------------------------------- https://www.golem.de/news/hotspot-shield-vpn-provider-soll-javascript-in-ve… ∗∗∗ Google Patches 10 Critical Bugs in August Android Security Bulletin ∗∗∗ --------------------------------------------- Googles August Android Security Bulletin featured patches for nearly a dozen remote code execution bugs impacting Googles Pixel and Nexus handsets. --------------------------------------------- http://threatpost.com/google-patches-10-critical-bugs-in-august-android-sec… ∗∗∗ Microsoft to remove WoSign and StartCom certificates in Windows 10 ∗∗∗ --------------------------------------------- Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wos… ∗∗∗ How Chat App Discord Is Abused by Cybercriminals to Attack ROBLOX Players ∗∗∗ --------------------------------------------- Cybercriminals targeting gamers are nothing new. We’ve reported many similar incidents in the past, from fake game apps to real-money laundering through online game currencies. Usually the aim is simple: to steal personal information and monetize it. And .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/chat-app-discord… ∗∗∗ Practical Analysis of the Cybersecurity of European Smart Grids ∗∗∗ --------------------------------------------- This paper summarizes the experience gained during a series of practical cybersecurity assessments of various components of Europe’s smart electrical grids. --------------------------------------------- http://digitalsubstation.com/en/2017/08/07/practical-analysis-of-nbsp-the-c… ∗∗∗ Google warnt Entwickler von Chrome-Erweiterungen vor Phishing-Mails ∗∗∗ --------------------------------------------- Betrüger sind auf der Jagd nach Log-in-Daten von Entwickler-Accounts, um Chrome-Erweiterungen mit Schadcode zu verseuchen und anschließend zu verteilen, warnt Google. --------------------------------------------- https://heise.de/-3795160 ∗∗∗ Hacker erpressen HBO mit weiteren "Game of Thrones"-Folgen ∗∗∗ --------------------------------------------- Erpresser haben Skript zu Folge 5 von Staffel 7 veröffentlicht und fordern Geld, um weitere Publizierungen zu unterlassen --------------------------------------------- http://derstandard.at/2000062391623 ∗∗∗ IWF warnt: Cyber-Angriffe gefährden weltweite Finanzstabilität ∗∗∗ --------------------------------------------- Attacken von Hackern und Kriminellen immer raffinierter --------------------------------------------- http://derstandard.at/2000062403498 ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-23), Adobe Acrobat and Reader (APSB17-24), Adobe Experience Manager (APSB17-26) and Adobe Digital Editions (APSB17-27). Adobe recommends users update their product installations to the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1480 ∗∗∗ Vulnerability in F2FS File System Leads To Memory Corruption on Android, Linux ∗∗∗ --------------------------------------------- August’s Android Security Bulletin includes three file system vulnerabilities (CVE-2017-10663, CVE-2017-10662, and CVE-2017-0750 that were discovered by Trend Micro researchers. These vulnerabilities could cause memory corruption on the affected devices, .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerability-f2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2017
by Daily end-of-shift report 07 Aug '17

07 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-08-2017 18:00 − Montag 07-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ You Can Trick Self-Driving Cars by Defacing Street Signs ∗∗∗ --------------------------------------------- A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/you-can-trick-self-driving-c… ∗∗∗ Passwortmanager: Lastpass ab sofort doppelt so teuer ∗∗∗ --------------------------------------------- Wer den Passwortmanager Lastpass nutzt, muss künftig mehr bezahlen. Nutzern der kostenfreien Version werden einige Funktionen gestrichten. Außerdem kündigt .. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-ab-sofort-doppelt-so-teu… ∗∗∗ Links in phishing-like emails lead to tech support scam ∗∗∗ --------------------------------------------- Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites. Anti-spam filters in Microsoft Exchange .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/07/links-in-phishing-like-… ∗∗∗ Increase of phpMyAdmin scans ∗∗∗ --------------------------------------------- PMA (or phpMyAdmin) is a well-known MySQL front-end written in PHP that brings MySQL to the web as stated on the web site[1]. The tool is very popularamongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common findingin many penetration tests to find an old PMA interface left byan admin. --------------------------------------------- https://isc.sans.edu/diary/rss/22688 ∗∗∗ ESET Spreading FUD About Torrent Files, Clients ∗∗∗ --------------------------------------------- An anonymous reader writes: ESET has taken fear mongering, something that some security firms continue to do, to a new level by issuing a blanket warning to users to view torrent files and clients as a threat. The warning came from the companys so-called security evangelist Ondrej Kubovic, (who used extremely patchy data to try and .. --------------------------------------------- https://it.slashdot.org/story/17/08/04/1938242/eset-spreading-fud-about-tor… ∗∗∗ Tale of the Two Payloads – TrickBot and Nitol ∗∗∗ --------------------------------------------- A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%e2… ∗∗∗ Erpressungstrojaner Cerber soll Bitcoins klauen ∗∗∗ --------------------------------------------- Offenbar ist den Malware-Entwicklern von Cerber das Lösegeld nicht genug: Der Verschlüsselungstrojaner soll sich nun auch Bitcoin-Wallets und Passwörter unter den Nagel reißen. --------------------------------------------- https://heise.de/-3793763 ∗∗∗ FireEye dementiert Hacker-Angriff auf US-Sicherheitsfirma Mandiant ∗∗∗ --------------------------------------------- Ein unbekannter Hacker brüstete sich damit, dass er das Netzwerk von Mandiant und Computer von Mitarbeitern kompromittiert hat. FireEye erklärt nun, dass das nicht stimmt. --------------------------------------------- https://heise.de/-3794454 ∗∗∗ Hackercamp SHA2017: All Computers are broken ∗∗∗ --------------------------------------------- ACAB mag in anderen Kreisen etwas anderes bedeuten, doch für Hacker ist die Sache klar: All Computers are broken. Das wurde auf dem niederländischen Hackercamp SHA2017 deutlich. --------------------------------------------- https://heise.de/-3794575 ∗∗∗ Hintergrund: Die Geschichte von Junipers enteigneter Hintertür ∗∗∗ --------------------------------------------- In einem mehrfach ausgezeichneten Paper liefern Forscher eine Art Krypto-Krimi. Sie dokumentieren minutiös, wie der Netzwerkausrüster Juniper eine versteckte Hintertür in seine Produkte einbaute – und wie ein externer Angreifer sie später umfunktionierte. --------------------------------------------- https://heise.de/-3794610 ∗∗∗ Gefälschte GMX-Nachricht: Konto gesperrt ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte GMX-Nachricht mit dem Betreff „GMX Konto Gesperrt“. Darin behaupten sie, dass das E-Mailkonto der Empfänger/innen gelöscht werde. Kund/innen, die das verhindern wollen, sollen ihre Zugangsdaten auf einer gefälschten GMX-Website .. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-gmx-nachricht-konto-… ===================== = Advisories = ===================== ∗∗∗ DSA-3926 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3926 ∗∗∗ DSA-3925 qemu - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3925 ∗∗∗ Eaton ELCSoft Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-216-01-0 ∗∗∗ WP Live Chat Support <= 7.1.04 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8880 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2017
by Daily end-of-shift report 04 Aug '17

04 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-08-2017 18:00 − Freitag 04-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Week In Review – 4th August 2017 ∗∗∗ --------------------------------------------- Creating Fake Identities Everything today seems to be linked to your identity; or perhaps more specifically, to your digital identity. While safeguarding ones identity is important, it is also equally important to find ways to stop people from creating fake identities. Kevin Mitnick belonged to an earlier generation that many of this generations up and comers may not have heard of. While today he is a respectable information security professional, he wasn’t always quite a white hat, and [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/week-in-review-4th-aug… ∗∗∗ JavaScript Packages Caught Stealing Environment Variables ∗∗∗ --------------------------------------------- On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/javascript-packages-caught-s… ∗∗∗ Verseuchte Chrome-Erweiterung infiziert eine Million User ∗∗∗ --------------------------------------------- Die Erweiterung Web Developer wurde gekapert und durch eine Version mit Schadsoftware ausgetauscht und an User verteilt. --------------------------------------------- https://futurezone.at/digital-life/verseuchte-chrome-erweiterung-infiziert-… ∗∗∗ Verhaftung nach Black Hat: Wanna-Cry-Hacker soll Bankingtrojaner entwickelt haben ∗∗∗ --------------------------------------------- Ein britischer Sicherheitsforscher und Hacker ist in den USA verhaftet worden. Der 23-Jährige hatte unabsichtlich dazu beigetragen, die Ausbreitung von Wanna Cry zu verlangsamen. Er soll an der Entwicklung des Kronos-Bankentrojaners beteiligt gewesen sein. --------------------------------------------- https://www.golem.de/news/wanna-cry-sicherheitsforscher-malwaretech-in-den-… ∗∗∗ Weekly Security Roundup ∗∗∗ --------------------------------------------- This week, we’ve published an article about session hijacking, a dangerous hacking method that takes control of a user’s account as they are live and using it. Security articles of the week (July 31st – August 4th, 2017) The biggest story from the beginning of this week was the HBO hack that ended up with leaked [...] --------------------------------------------- https://heimdalsecurity.com/blog/weekly-security-roundup/ ∗∗∗ Cisco schließt Super-Admin-Lücke ∗∗∗ --------------------------------------------- Der Netzwerkausrüster stellt elf Sicherheitsupdates für diverse Produkte bereit. Von den Lücken soll ein mittleres bis hohes Risiko ausgehen. --------------------------------------------- https://heise.de/-3793025 ===================== = Advisories = ===================== ∗∗∗ Upcoming Security Updates for Adobe Reader and Acrobat (APSB17-24) ∗∗∗ --------------------------------------------- A prenotification Security Advisory has been posted regarding upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, August 8, 2017. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1478 ∗∗∗ Schneider Electric Pro-face GP-Pro EX ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in Schneider Electric’s Pro-face GP-Pro EX. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-215-01 ∗∗∗ IBM Security Bulletin: A vulnerability in libtirpc affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025258 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004331 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Extreme Scale ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005297 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos TM1 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006551 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Insight ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006550 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2017
by Daily end-of-shift report 03 Aug '17

03 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-08-2017 18:00 − Donnerstag 03-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows Defender ATP machine learning: Detecting new and unusual breach activity ∗∗∗ --------------------------------------------- Microsoft has been investing heavily in next-generation security technologies. These technologies use our ability to consolidate large sets of data and build intelligent systems that learn from that data. These machine learning (ML) systems flag and surface threats that would otherwise remain unnoticed amidst the continuous hum of billions of normal events and the inability... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-ma… ∗∗∗ Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain ∗∗∗ --------------------------------------------- Over the last few months, we have been keeping an eye on the Magnitude exploit kit which is mainly used to deliver the Cerber ransomware to specific countries in Asia. Our telemetry shows that South Korea is most impacted via ongoing malvertising campaigns. When a visitor goes to a website that monetizes its traffic via adverts he may be exposed to malicious advertising. Tailored ads shown in the browser are initiated on-the-fly via a process known as Real-time Bidding (RTB). --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/08/enemy-at-the-gates-reviewi… ∗∗∗ The Retefe Saga ∗∗∗ --------------------------------------------- Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings. While some findings where very interesting, others were misleading or simply wrong. --------------------------------------------- https://www.govcert.admin.ch/blog/33/the-retefe-saga ∗∗∗ Warnung vor Fake-Mail "Ihr Konto wurde limitiert" ∗∗∗ --------------------------------------------- [...] Diese E-Mail gibt sich als PayPal (service@ ppal.com) aus, PayPal hat mit der Betrugsmasche jedoch nichts zu tun. PayPal selbst wurde hier Opfer, indem sein Name missbräuchlich verwendet wird, um Nutzer in die Falle zu locken! --------------------------------------------- http://www.mimikama.at/allgemein/ihr-konto/ ∗∗∗ Sicherheitspatches: Varnish anfällig für DoS-Attacke ∗∗∗ --------------------------------------------- In verschiedenen Versionen von Varnish klafft eine Schwachstelle, über die Angreifer Server attackieren könnten. --------------------------------------------- https://heise.de/-3791311 ∗∗∗ Pwned Passwords: Neuer Dienst macht geknackte Passwörter auffindbar ∗∗∗ --------------------------------------------- Wurde mein Lieblings-Passwort schon einmal in einem Datenleck veröffentlicht und kann deswegen einfach für Bruteforce-Angriffe verwendet werden? Diese Frage beantwortet ein neuer Webdienst des Sicherheitsforschers Troy Hunt. --------------------------------------------- https://heise.de/-3792707 ∗∗∗ Malicious content delivered over SSL/TLS has more than doubled in six months ∗∗∗ --------------------------------------------- Threats using SSL encryption are on the rise. An average of 60 percent of the transactions in the Zscaler cloud have been delivered over SSL/TLS. Researchers also found that the Zscaler cloud saw an average of 8.4 million SSL/TLS-based security blocks per day this year. “Hackers are increasingly using SSL to conceal device infections, shroud data exfiltration and hide botnet command and control communications. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/03/malicious-content-ssl-tls/ ∗∗∗ Gefälschte Bank Austria-Nachricht: Änderungen im OnlineBanking ∗∗∗ --------------------------------------------- In einer gefälschten Bank Austria-Nachricht schreiben Kriminelle, dass es zu einer Änderung im OnlineBanking-System gekommen sei. Das führt zu Fehlern, weshalb Kund/innen ihre Zugangsdaten auf einer Website nennen sollen. Empfänger/innen der Nachricht, die dem nachkommen, übermitteln ihre Passwörter an Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-bank-austria-nachric… ===================== = Advisories = ===================== ∗∗∗ Cisco Videoscape Distribution Suite Cache Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the cache server within Cisco Videoscape Distribution Suite (VDS) for Television could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted appliance.The vulnerability is due to excessive mapped connections exhausting the allotted resources within the system. An attacker could exploit this vulnerability by sending large amounts of inbound traffic to a device with the intention of overloading certain resources. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the authentication module of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to bypass local authentication.The vulnerability is due to improper handling of authentication requests and policy assignment for externally authenticated users. An attacker could exploit this vulnerability by authenticating with a valid external user account that matches an internal username and incorrectly receiving the authorization policy ... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003928 ∗∗∗ IBM Security Bulletin: Apache Commons Collection Java Deserialization Vulnerability in Multiple N series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009711 ∗∗∗ IBM Security Bulletin: CVE-2015-4000 Diffie-Hellman Export Cipher Suite Vulnerabilities in Multiple N series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009681 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2017
by Daily end-of-shift report 02 Aug '17

02 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-08-2017 18:00 − Mittwoch 02-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Ein paar Thesen zu aktuellen Gesetzesentwürfen ∗∗∗ --------------------------------------------- Ein paar Thesen zu aktuellen Gesetzesentwürfen31. Juli 2017Das Thema "LE going dark in the age of encrytion" kocht mal wieder hoch, und noch schnell vor den Neuwahlen wurden entsprechende Gesetzesentwürfe eingebracht. Ich will hier aus technischer Sicht ein paar Argumente in die Diskussion einwerfen, .. --------------------------------------------- http://www.cert.at/services/blog/20170731130131-2076.html ∗∗∗ Auch bei Amazon: Android-Smartphones mit vorinstallierter Malware im Umlauf ∗∗∗ --------------------------------------------- Vorinstallierte Malware auf dem Smartphone dürfte für viele Nutzer ein Albtraum sein. In einem aktuellen Fall sollen günstige Smartphones des Herstellers Nomu betroffen sein. Diese sind auch in Deutschland bestellbar. --------------------------------------------- https://www.golem.de/news/auch-bei-amazon-android-smartphones-mit-vorinstal… ∗∗∗ WannaCry Inspires Banking Trojan to Add Self-Spreading Ability ∗∗∗ --------------------------------------------- Although the wave of WannaCry and Petya ransomware has now been slowed down, money-motivated hackers and cyber criminals have taken lessons from the global outbreaks to make their malware more powerful. Security researchers have now discovered at least one group of cyber criminals that are attempting to .. --------------------------------------------- https://thehackernews.com/2017/08/trickbot-banking-trojan.html ∗∗∗ Invisible Man malware runs keylogger on your Android banking apps ∗∗∗ --------------------------------------------- Top tip: Dont fetch and install dodgy Flash updates from random websites A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, were told. --------------------------------------------- http://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/ ∗∗∗ Sorry, psycho bosses, its not OK to keylog your employees ∗∗∗ --------------------------------------------- In Germany, at least, youre gonna have to get your jollies some other way Installing keylogging software on your employees computers and using what you find to fire them is not OK, a German court has decided. --------------------------------------------- http://www.theregister.co.uk/2017/08/02/keylogging_software_for_employees/ ∗∗∗ Exposed IoT servers let hackers unlock prison cells, modify pacemakers ∗∗∗ --------------------------------------------- A researcher has found an often misconfigured protocol (MQTT) puts heart monitors, oil pipelines or particle accelerators at risk of attack. --------------------------------------------- http://www.zdnet.com/article/exposed-servers-hack-prison-cells-alter-pacema… ∗∗∗ Sicherheitsupdates: VMware vCenter Server und Tools angreifbar ∗∗∗ --------------------------------------------- Die Entwickler schließen mehrere Schwachstellen in ihrer Software. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-3790197 ∗∗∗ Most damaging threat vector for companies? Malicious insiders ∗∗∗ --------------------------------------------- According to a new SANS survey, 40 percent of respondents rated malicious insiders (insiders who intentionally do harm) as the most damaging threat vector their companies faced. Furthermore, nearly half (49 percent) said they were in the process of developing a formal incident response plan with provisions .. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/02/malicious-insiders-threat-vector/ ===================== = Advisories = ===================== ∗∗∗ Mitsubishi Electric Europe B.V. E-Designer ∗∗∗ --------------------------------------------- This advisory contains mitigation details for heap-based buffer overflow, stack-based buffer overflow, and out-of-bounds write vulnerabilities in the Mitsubishi Electric Europe B.V. E-Designer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-213-01 ∗∗∗ Schneider Electric Trio TView ∗∗∗ --------------------------------------------- This advisory contains mitigation details for multiple vulnerabilities for Java Runtime Environment in Schneider Electric’s Trio TView software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-213-02 ∗∗∗ Security Advisory - Multiple Buffer Overflow Vulnerabilities in Driver of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170801-… ∗∗∗ Security Advisory - DoS Vulnerability of Audio Driver in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170802-… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Bastet of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170802-… ∗∗∗ IBM Security Bulletin: Weaker than expected security in WebSphere Application Server (CVE-2017-1504) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006803 ∗∗∗ IBM Security Bulletin: Fix Available for IBM iNotes Cross-Site Scripting Vulnerability (CVE-2017-1327) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003664 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting (XSS) Attack (CVE-2017-1199) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006618 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to multiple OpenSSL vulnerabilities (CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006602 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2017
by Daily end-of-shift report 01 Aug '17

01 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 31-07-2017 18:00 − Dienstag 01-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacker bremsen Tesla Model X aus der Ferne ∗∗∗ --------------------------------------------- Chinesische Sicherheitsforscher konnten die Firmware manipulieren und zahlreiche Funktionen des Fahrzeugs kontrollieren. --------------------------------------------- https://futurezone.at/produkte/hacker-bremsen-tesla-model-x-aus-der-ferne/2… ∗∗∗ Rooting Out Hosts that Support Older Samba Versions, (Tue, Aug 1st) ∗∗∗ --------------------------------------------- Ive had a number of people ask how they can find services on their network that still support SMBv1. In an AD Domain you can generally have good control of patching and the required registry keys to disable SMBv1. However, for non-domain members thats tougher. --------------------------------------------- https://isc.sans.edu/diary/rss/22672 ∗∗∗ Windows Hacking Kurs – Durchführungsgarantie ∗∗∗ --------------------------------------------- November 30, 2017 - December 01, 2017 - All Day SBA Research Favoritenstraße 16 Vienna --------------------------------------------- https://www.sba-research.org/events/windows-hacking-kurs-durchfuhrungsgaran… ∗∗∗ CISSP Training – Durchführungsgarantie ∗∗∗ --------------------------------------------- September 11, 2017 - September 15, 2017 - All Day SBA Research Favoritenstraße 16 Vienna --------------------------------------------- https://www.sba-research.org/events/cissp-training-durchfuhrungsgarantie-6/ ∗∗∗ Incident Response Kurs – Durchführungsgarantie ∗∗∗ --------------------------------------------- September 27, 2017 - September 29, 2017 - All Day SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/incident-response-kurs-durchfuhrungsgar… ∗∗∗ Cobalt strikes back: an evolving multinational threat to finance ∗∗∗ --------------------------------------------- Cobalt has attacked banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The group is not afraid to use the names of regulatory authorities or security topics to trick recipients into opening phishing messages from illegitimate domains. Now they actively use Supply Chain Attacks to leverage the infrastructure and accounts of actual employees at one company, in order to forge convincing emails targeting a different partner organization --------------------------------------------- http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.ht… ∗∗∗ Reddoxx: Angreifer können TÜV-geprüfte Mail-Archivierungssoftware kapern ∗∗∗ --------------------------------------------- Ein einfacher Ping-Befehl, der über ein Admin-Interface ausgelöst wird lässt sich von jedermann aus der Ferne missbrauchen, um beliebigen Code auszuführen. So können Angreifer die E-Mail-Software für rechtssichere Archivierung übernehmen. --------------------------------------------- https://heise.de/-3785041 ∗∗∗ Phisher bringen Chrome-Erweiterung Copyfish unter ihre Kontrolle ∗∗∗ --------------------------------------------- Wer die aktuelle Version von Copyfish installiert hat, wird von Werbeeinblendungen genervt. Nun hat Google die von Betrügern manipulierte Chrome-Erweiterung offline genommen. --------------------------------------------- https://heise.de/-3787978 ∗∗∗ NeoCoolCam: Chinesische IP-Kameras mit massiven Sicherheitslücken ∗∗∗ --------------------------------------------- Sicherheitsforscher haben wieder einmal gravierende Sicherheitslücken in IP-Kameras aufgedeckt. Mindestens 175.000 Geräte des Herstellers Shenzhen Neo Electronics lassen sich mit einfachen Mitteln aus dem Netz kapern. --------------------------------------------- https://heise.de/-3788061 ∗∗∗ Hackers can turn Amazon Echo into a covert listening device ∗∗∗ --------------------------------------------- New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality. Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or knowledge. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/01/amazon-echo-covert-listening/ ∗∗∗ Hinweis auf betrügerische Bestellung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine E-Mail, in der sie von einer Online-Bestellung sprechen. Sie sei von „Schwindlern begangen" worden. Empfänger/innen können Angaben zu der betrügerischen Bestellung auf einer Website herunterladen. Wenn sie das tun, installieren Nutzer/innen Schadsoftware auf ihrem Computer. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/hinweis-auf-betrue… ∗∗∗ KRITIS: Erster branchenspezifischer Sicherheitsstandard anerkannt ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Erster_bran… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1328: Red Hat JBoss Enterprise Application Platform: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1328/ ∗∗∗ DFN-CERT-2017-1330: McAfee Security Scan Plus: Eine Schwachstelle ermöglicht die Ausführung beliebiger Programme mit Benutzerrechten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1330/ ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to retrieval of access credentials by highly privileged users ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006068 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to a privilege escalation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006067 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005803 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server has a network layer security vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006063 ∗∗∗ IBM Security Bulletin: Session fixation defect in IBM Security AppScan Enterprise (CVE-2016-9981) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006430 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2017
by Daily end-of-shift report 31 Jul '17

31 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-07-2017 18:00 − Montag 31-07-2017 18:00 Handler: Robert Waldner Co-Handler: ===================== = News = ===================== ∗∗∗ Ein paar Thesen zu aktuellen Gesetzentwürfen ∗∗∗ --------------------------------------------- Ein paar Thesen zu aktuellen Gesetzentwürfen31. Juli 2017Das Thema "LE going dark in the age of encrytion" kocht mal wieder hoch, und noch schnell vor den Neuwahlen wurden entsprechende Gesetzesentwürfe eingebracht. Ich will hier aus technischer Sicht ein paar Argumente in die Diskussion einwerfen, beschränke mich hier aber rein auf den Aspekt Überwachung trotz Verschlüsselung. --------------------------------------------- http://www.cert.at/services/blog/20170731130131-2076.html ∗∗∗ Reverse Engineering a JavaScript Obfuscated Dropper ∗∗∗ --------------------------------------------- 1. Introduction Nowadays one of the techniques most used to spread malware on windows systems is using a JavaScript (js) dropper. A js dropper represents, in most attack scenarios, the first stage of a malware infection. It happens because Windows systems allow the execution of various scripting language using the Windows Script Host (WScript). This […]The post Reverse Engineering a JavaScript Obfuscated Dropper appeared first on InfoSec Resources. --------------------------------------------- http://resources.infosecinstitute.com/reverse-engineering-javascript-obfusc… ∗∗∗ A new era in mobile banking Trojans ∗∗∗ --------------------------------------------- In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services. --------------------------------------------- http://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ ∗∗∗ LeakerLocker Mobile Ransomware Threatens to Expose User Information ∗∗∗ --------------------------------------------- While mobile ransomware such as the recent SLocker focuses on encrypting files on the victim’s devices, a new mobile ransomware named LeakerLocker taps into its victims worst fears by allegedly threatening to send personal data on a remote server and expose its contents to everyone on their contact lists. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tDsXJe6LJ0g/ ∗∗∗ Das Millionengeschäft mit Softwarefehlern ∗∗∗ --------------------------------------------- Softwarefehler können enormen Schaden anrichten, wie zuletzt die großangelegte Cyberattacke mit der Schadsoftware „NotPetya“ gezeigt hat. Das Aufspüren solcher Schwachstellen ist die Aufgabe von Bug-Kopfgeldjägern, die damit oft gut verdienen. Interesse an den Diensten der Hacker gibt es dabei nicht nur vonseiten der Hersteller. --------------------------------------------- http://orf.at/stories/2397792/2397793/ ∗∗∗ Container security: The seven biggest mistakes companies are making ∗∗∗ --------------------------------------------- As enterprises increase adoption of containers, they also risk increasing the number of mistakes they make with the technology. Given that many companies are still wrapping their heads around the potential of container technology and how to best leverage it, that stands to reason. With that said, however, companies must ensure that they are establishing a solid foundation for security as they continue to identify strategies and workloads that make sense on a container platform. … More --------------------------------------------- https://www.helpnetsecurity.com/2017/07/31/container-security-seven-biggest… ===================== = Advisories = ===================== ∗∗∗ CAN Bus Standard Vulnerability ∗∗∗ --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-209-01 ∗∗∗ Security flaw shows 3G, 4G LTE networks are just as prone to stingray phone tracking ∗∗∗ --------------------------------------------- Security researchers have revealed a recently discovered vulnerability in modern, high-speed cell networks, which they say can allow low-cost phone surveillance and location tracking. --------------------------------------------- http://www.zdnet.com/article/stingray-security-flaw-cell-networks-phone-tra… ∗∗∗ Cloud-Antivirensoftware hilft beim Datenklau aus luftdichten Netzwerken ∗∗∗ --------------------------------------------- Mindestens vier Virenscanner, die verdächtige Daten zur Analyse in die Cloud hochladen, helfen beim Datenklau von ansonsten in ihrer Kommunikationsfähigkeit beschränkten PCs. Auch Virustotal ist betroffen. --------------------------------------------- https://heise.de/-3786507 ∗∗∗ Attacking industrial pumps by adjusting valves to create bubbles in the pipes. ∗∗∗ --------------------------------------------- https://twitter.com/KraftCERT/status/891929915200856064 ∗∗∗ DFN-CERT-2017-1309/">FreeRDP: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1309/ ∗∗∗ [webapps] GitHub Enterprise < 2.8.7 - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42392/?rss ∗∗∗ IBM Security Bulletin: CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668 and CVE-2017-7679 in IBM i HTTP Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022204 ∗∗∗ IBM Security Bulletin: 10x vulnerability in IBM Control Center could allow an outside user to obtain the ID (CVE-2017-1152) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006361 ∗∗∗ IBM Security Bulletin: Non-configured connections could cause denial of service in IBM WebSphere MQ Internet Pass-Thru (CVE-2017-1118 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006580 ∗∗∗ IBM Security Bulletin: A vulnerability in Java runtime from IBM affects IBM WebSphere MQ ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005123 ∗∗∗ Fortinet FortiOS Input Validation Flaws Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039020 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2017
by Daily end-of-shift report 28 Jul '17

28 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-07-2017 18:00 − Freitag 28-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Google Study Quantifies Ransomware Profits ∗∗∗ --------------------------------------------- A ransomware study released Google revealed the malware earned criminals $25 million over the past two years. --------------------------------------------- http://threatpost.com/google-study-quantifies-ransomware-revenue/127057/ ∗∗∗ Attack Uses Docker Containers To Hide, Persist, Plant Malware ∗∗∗ --------------------------------------------- Abuse of the Docker API allows remote code execution on targeted system, which enables hackers to escalate and persists thanks to novel attacks called Host Rebinding Attack and Shadow Containers. --------------------------------------------- http://threatpost.com/attack-uses-docker-containers-to-hide-persist-plant-m… ∗∗∗ The Cloak & Dagger Attack That Bedeviled Android For Months ∗∗∗ --------------------------------------------- Not all Android attacks come from firmware mistakes. --------------------------------------------- https://www.wired.com/story/cloak-and-dagger-android-malware ∗∗∗ Hacker Says He Broke Through Samsungs Secure Smartphone Platform ∗∗∗ --------------------------------------------- When his rooting exploit worked on plenty of Android devices but failed on the Samsung Galaxy S7 Edge, researcher Di Shen decided to dig into KNOX. --------------------------------------------- https://motherboard.vice.com/en_us/article/pad5jn/hacker-says-he-broke-thro… ∗∗∗ OPC Data Access IDAPython script ∗∗∗ --------------------------------------------- An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol. --------------------------------------------- https://github.com/eset/malware-research/blob/master/industroyer/README.adoc ∗∗∗ Internet der Dinge: Wenn die Waschstraße angreift ∗∗∗ --------------------------------------------- Sicherheitsforscher haben diverse Schwachstellen in automatisierten Autowaschstraßen gefunden, die sich sogar übers Internet missbrauchen lassen. Durch ferngesteuerte Tore, Roboterarme und Hochdruck-Wasserstrahle könnte es sogar zu Personenschäden kommen. --------------------------------------------- https://heise.de/-3785654 ∗∗∗ Microsoft opens fuzz testing service to the wider public ∗∗∗ --------------------------------------------- Microsoft Security Risk Detection, a cloud-based fuzz testing service previously known under the name Project Springfield, is now open to all and sundry. --------------------------------------------- https://www.helpnetsecurity.com/2017/07/28/microsoft-fuzz-testing-service/ ===================== = Advisories = ===================== ∗∗∗ Continental AG Infineon S-Gold 2 (PMB 8876) ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow and an improper restriction of operations within the bounds of a memory buffer vulnerability in Continental AGs Infineon S-Gold 2 (PMB 8876). --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-01 ∗∗∗ Mirion Technologies Telemetry Enabled Devices ∗∗∗ --------------------------------------------- This advisory contains mitigation details for use of hard-coded cryptographic key and inadequate encryption strength vulnerabilities in Mirion Technologies Telemetry Enabled Devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-02 ∗∗∗ PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper authentication and missing encryption of sensitive data affecting PDQ Manufacturing, Inc.s LaserWash, LaserJet, and ProTouch car washes. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03 ∗∗∗ Multiple Cisco Products OSPF LSA Manipulation Vulnerability ∗∗∗ --------------------------------------------- Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated, remote attacker to take full control of the OSPF Autonomous System (AS) domain routing table, allowing the attacker to intercept or black-hole traffic.The attacker could exploit this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause the targeted router [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2017-0012 ∗∗∗ --------------------------------------------- VMware VIX API VM Direct Access Function security issue --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0012.html ∗∗∗ VMSA-2017-0013 ∗∗∗ --------------------------------------------- VMware vCenter Server and Tools updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0013.html ∗∗∗ Vuln: Cloud Foundry Cloud Controller API CVE-2017-8036 Incomplete Fix Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/100002 ∗∗∗ DFN-CERT-2017-1305: PHPMailer: Zwei Schwachstellen ermöglichen Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1305/ ∗∗∗ DFN-CERT-2017-1310: Microsoft Outlook: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1310/ ∗∗∗ FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-104 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSource ISC Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005830 ∗∗∗ IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2017-1332) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005233 ∗∗∗ IBM Security Bulletin: Multiple security vunerabilities in Oracle Java SE and Java SE Embedded affects IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006603 ∗∗∗ IBM Security Bulletin: IBM System Networking Switch Center is affected by a Jsch vulnerability (CVE-2016-5725) ∗∗∗ --------------------------------------------- http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to a Insecure JSF ViewState found in MDM User Interface (CVE-2016-9714) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006608 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to Insecure HTTP Method – TRACE discovered in MDM User Interface (CVE-2016-9718) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006606 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to a Cross Site Request Forgery discovered in MDM User Interface (CVE-2016-9716) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006610 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting Attack (CVE-2016-9715) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006611 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities might affect IBM® SDK for Node.js™ ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22006298 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in coreutils, sudo, jasper, bind, bash, libtirpc, nss and nss-util affect IBM SmartCloud Entry ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025538 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in qemu-kvm and libguestfs affect SmartCloud Entry (CVE-2016-9603 CVE-2017-2633 CVE-2017-7718 CVE-2017-7980 CVE-2015-8869) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025529 ∗∗∗ IBM Security Bulletin: IBM i is affected by an OSPF vulnerability (CVE-2017-1460) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022191 ∗∗∗ IBM Security Bulletin: The BigFix Platform has a vulnerability that can cause denial of service ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003222 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to a X-Frame-Options Header ClickJacking attack (CVE-2016-9719 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006607 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to HTTP Parameter Override discovered in MDM User Interface (CVE-2016-9717) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006605 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cloud Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025397 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2017
by Daily end-of-shift report 27 Jul '17

27 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-07-2017 18:00 − Donnerstag 27-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ IoT-Geräte in Österreich: 31.000 von 280.000 unsicher ∗∗∗ --------------------------------------------- In Österreich gibt es eine beträchtlich hohe Zahl ungeschützter Router und Webcams im Internet, so eine neue Studie von Avast. Warum das ein Problem ist und was man tun kann. --------------------------------------------- https://futurezone.at/produkte/iot-geraete-in-oesterreich-31-000-von-280-00… ∗∗∗ Lipizzan: Google findet neue Staatstrojaner-Familie für Android ∗∗∗ --------------------------------------------- Erneut hat Google eine Android-Spyware einer isrealischen Firma gefunden. Die Software tarnte sich als harmlose App im Playstore, die Rooting-Funktion wird dann nachgeladen. --------------------------------------------- https://www.golem.de/news/lipizzan-google-findet-neue-staatstrojaner-famili… ∗∗∗ Announcing the Windows Bounty Program ∗∗∗ --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-… ∗∗∗ Extending Microsoft Edge Bounty Program ∗∗∗ --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/16/extending-microsoft-edg… ∗∗∗ Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets ∗∗∗ --------------------------------------------- Fully remote exploits that allow for compromise of a target without any user interaction have become something of a myth in recent years. While some are occasionally still found against insecure and unpatched targets such as routers, various IoT devices or old versions of Windows, practically no remotely exploitable bugs that reliably bypass DEP and ASLR have been found on Android and iOS. In order to compromise these devices, attackers [...] --------------------------------------------- https://blog.exodusintel.com/2017/07/26/broadpwn/ ∗∗∗ DeepINTEL Schedule updated – Psychology and Power Grids ∗∗∗ --------------------------------------------- We have updated the schedule for DeepINTEL 2017. The human mind and power grids are both critical infrastructure. Both can be manipulated and switched off, arguably. And most of us use both every day. So this is why we added two more presentations to the schedule. --------------------------------------------- http://blog.deepsec.net/deepintel-schedule-updated-psychology-power-grids/ ∗∗∗ Black Hat: Strahlungsmessgeräte per Funk manipulierbar ∗∗∗ --------------------------------------------- Ein Hacker hat Sicherheitslücken in stationären und mobilen Messgeräten für radioaktive Strahlung gefunden. Kriminelle könnten so radioaktives Material durch Kontrollen schleusen oder Fehlalarme in Kernreaktoren auslösen. Updates wird es nicht geben. --------------------------------------------- https://heise.de/-3784966 ∗∗∗ Slowloris all the things ∗∗∗ --------------------------------------------- At DEFCON, some researchers are going to announce a Slowloris-type exploit for SMB -- SMBloris. I thought Id write up some comments.The original Slowloris from several years creates a ton of connections to a web server, but only sends partial headers. The server allocates a large amount of memory to handle the requests, expecting to free that memory soon when the requests are completed. But the requests are never completed, so the memory remains tied up indefinitely. --------------------------------------------- http://blog.erratasec.com/2017/07/slowloris-all-things.html ===================== = Advisories = ===================== ∗∗∗ McAfee Releases Security Bulletin for Web Gateway ∗∗∗ --------------------------------------------- Original release date: July 27, 2017 McAfee has released a security bulletin to address multiple vulnerabilities in Web Gateway. Some of these vulnerabilities could allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/07/27/McAfee-Releases-Se… ∗∗∗ VU#547255: Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/547255 ∗∗∗ Cisco Access Control System Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Autonomic Networking Infrastructure Certificate Revocation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Autonomic Control Plane Channel Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1295: FortiNet FortiOS, FortiAnalyzer: Mehrere Schwachstellen ermöglichen u.a die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1295/ ∗∗∗ DFN-CERT-2017-1303: Foxit PDF Compressor: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1303/ ∗∗∗ HPESBHF03765 rev.1 - HPE ConvergedSystem 700 Solution with Comware v7 Switches using OpenSSL, Remote Denial of Service (DoS) and Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037… ∗∗∗ Security Advisory - MaxAge LSA Vulnerability in OSPF Protocal of Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170720-… ∗∗∗ Security Advisory - BroadPwn Remote Code Execute Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170727-… ∗∗∗ IBM Security Bulletin: Weaker than expected security in IBM API Connect Developer Portal (CVE-2017-6922) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005722 ∗∗∗ IBM Security Bulletin: Weaker than expected security in IBM API Connect (CVE-2017-1386) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004981 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) – IBM Java SDK updates April 2017 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005840 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1303) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004979 ∗∗∗ [2017-07-27] Kathrein UFSconnect 916 multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… ∗∗∗ [2017-07-27] Ubiquiti Networks UniFi Cloud Key multiple critical vulnerabilities ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2017
by Daily end-of-shift report 26 Jul '17

26 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-07-2017 18:00 − Mittwoch 26-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Smart Drawing Pads Used for DDoS Attacks, IoT Fish Tank Used in Casino Hack ∗∗∗ --------------------------------------------- Some clever hackers found new ways to use the smart devices surrounding us, according to a report published last week by UK-based cyber-defense company Darktrace. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/smart-drawing-pads-used-for-… ∗∗∗ IOS Forensics ∗∗∗ --------------------------------------------- 1. INTRODUCTION Day by day, Smart phones and tablets are becoming popular, and hence technology used in development to add new features or improve the security of such devices is advancing too fast. iPhone and iPod are the game changer products launched by Apple. Apple operating system (IOS) devices started growing popular in the mobile [...] --------------------------------------------- http://resources.infosecinstitute.com/ios-forensics/ ∗∗∗ Windows SMB Zero Day to Be Disclosed During DEF CON ∗∗∗ --------------------------------------------- Microsoft has said it will not patch a two-decade-old Windows SMB vulnerability, called SMBloris because it behaves comparably to the Slowloris attacks. The flaw will be disclosed and demonstrated during DEF CON. --------------------------------------------- http://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/1… ∗∗∗ WikiLeaks drops another cache of ‘Vault7’ stolen tools ∗∗∗ --------------------------------------------- Latest dump is a trove of malware from Raytheon used for surveillance and data collection --------------------------------------------- https://nakedsecurity.sophos.com/2017/07/26/wikileaks-drops-another-cache-o… ∗∗∗ Where are the holes in machine learning – and can we fix them? ∗∗∗ --------------------------------------------- Machine learning algorithms are increasingly a target for the bad guys - but the industry is working to stop them, explains Sophos chief data scientist Joshua Saxe --------------------------------------------- https://nakedsecurity.sophos.com/2017/07/26/where-are-the-holes-in-machine-… ∗∗∗ How a Citadel Trojan Developer Got Busted ∗∗∗ --------------------------------------------- A U.S. District Court judge in Atlanta last week handed a five year prison sentence to Mark Vartanyan, a Russian hacker who helped develop and sell the once infamous and widespread Citadel banking trojan. This fact has been reported by countless media outlets, but far less well known is the fascinating backstory about how Vartanyan got caught. --------------------------------------------- https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-developer-got-bust… ===================== = Advisories = ===================== ∗∗∗ CRASHOVERRIDE Malware ∗∗∗ --------------------------------------------- CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-206-01 ∗∗∗ NXP i.MX Product Family ∗∗∗ --------------------------------------------- This advisory was originally posted to the NCCIC Portal on June 1, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for stack-based buffer overflow and improper certificate validation vulnerabilities in the NXP i.MX Product Family. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-152-02 ∗∗∗ Bugtraq: [SECURITY] [DSA 3919-1] openjdk-8 security update ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540926 ∗∗∗ DFN-CERT-2017-1288: Red Hat JBoss Enterprise Web Server: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1288/ ∗∗∗ Security Advisory - Two DoS Vulnerabilities in Call Module of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170725-… ∗∗∗ Security Advisory - Resource Exhaustion Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170725-… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities fixed in Java shipped as a component of IBM Security Privileged Identity Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006547 ∗∗∗ SSA-323211 (Last Update 2017-07-25): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211… ∗∗∗ SSA-822184 (Last Update 2017-07-26): Microsoft Web Server and HP Client Automation Vulnerabilities in Molecular Imaging Products from Siemens Healthineers ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-822184… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2017
by Daily end-of-shift report 25 Jul '17

25 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Montag 24-07-2017 18:00 − Dienstag 25-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Fruit Fly 2: Mysteriöse Mac-Malware seit Jahren aktiv ∗∗∗ --------------------------------------------- Auch Mac-Nutzer sind nicht vor Schadsoftware sicher: Eine Malware soll seit mehr als fünf Jahren aktiv sein, aber nur einige hundert Nutzer befallen haben. Die Software ermöglicht einen weitgehenden Zugriff auf den Rechner und private Informationen. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/fruit-fly-2-mysterioese-mac-malware-seit-jahren-a… ∗∗∗ CowerSnail, from the creators of SambaCry ∗∗∗ --------------------------------------------- We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry. --------------------------------------------- http://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/ ∗∗∗ Novel Attack Tricks Servers to Cache, Expose Personal Data ∗∗∗ --------------------------------------------- Researchers have a devised a way to trick a web server into caching pages and exposing personal data to attackers. --------------------------------------------- http://threatpost.com/novel-attack-tricks-servers-to-cache-expose-personal-… ∗∗∗ SBA Research co-organizes ROOTS 2017 ∗∗∗ --------------------------------------------- November 16, 2017 - November 17, 2017 - All Day The Imperial Riding School Vienna Ungargasse 60 Vienna --------------------------------------------- https://www.sba-research.org/events/sba-research-co-organizes-roots-2017/ ∗∗∗ Alternatives to Government-Mandated Encryption Backdoors ∗∗∗ --------------------------------------------- Policy essay: "Encryption Substitutes," by Andrew Keane Woods --------------------------------------------- https://www.schneier.com/blog/archives/2017/07/alternatives_to_1.html ∗∗∗ ShieldFS Is a Clever New Tool That Shuts Down Ransomware Before Its Too Late ∗∗∗ --------------------------------------------- By sniffing out ransomware in real-time, ShieldFS might be the cure to the internets latest security scourge. --------------------------------------------- https://www.wired.com/story/shieldfs-ransomware-protection-tool ∗∗∗ ENISA invites European utilities to join EE-ISAC Expert meeting in September ∗∗∗ --------------------------------------------- Together with the DG Energy of the European Commission, ENISA is organising a full-day expert seminar, which will be held on 7th September, 2017 in Athens. Registration is now open. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-invites-european-utilitie… ===================== = Advisories = ===================== ∗∗∗ VU#350135: Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin ∗∗∗ --------------------------------------------- Vulnerability Note VU#350135 Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin Original Release date: 07 Jun 2017 | Last revised: 24 Jul 2017 Overview WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device. --------------------------------------------- http://www.kb.cert.org/vuls/id/350135 ∗∗∗ VU#838200: Telerik Web UI contains cryptographic weakness ∗∗∗ --------------------------------------------- Vulnerability Note VU#838200 Telerik Web UI contains cryptographic weakness Original Release date: 25 Jul 2017 | Last revised: 25 Jul 2017 Overview The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys. --------------------------------------------- http://www.kb.cert.org/vuls/id/838200 ∗∗∗ [20170704] - Core - Installer: Lack of Ownership Verification ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Installer Severity: High Versions: 1.0.0 through 3.7.3 Exploit type: Lack of Ownership Verification Reported Date: 2017-Apr-06 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11364 Description The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control. Please note: Already installed sites are not affected, as this issue is limited to the installer application! --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/dsijOki-S50/700-20170704-c… ∗∗∗ [20170705] - Core - XSS Vulnerability ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Low Versions: 1.5.0 through 3.7.3 Exploit type: XSS Reported Date: 2017-April-26 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11612 Description Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/uutSEqYQKbU/701-20170605-c… ∗∗∗ DFN-CERT-2017-1285: Cacti: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1285/ ∗∗∗ Vulnerability in Citrix NetScaler SD-WAN Enterprise & Standard Edition and Citrix CloudBridge Virtual WAN Edition Could Result in Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX225990 ∗∗∗ IBM Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2017-1496) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006175 ∗∗∗ IBM Security Bulletin: A vulnerability in OpenSource GNU Glibc affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005677 ∗∗∗ IBM Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2017-1370) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005868 ∗∗∗ IBM Security Bulletin: Vulnerabilities in open source zlib library affect IBM Data Server Driver Package and IBM Data Server Driver for ODBC and CLI ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002754 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL Vulnerabilities affect IBM Network Advisor ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010466 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities affect IBM WebSphere Portal Rich Media Edition ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005279 ∗∗∗ [2017-07-24] Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… ∗∗∗ [2017-07-24] Open Redirect issue in multiple Ubiquiti Networks products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2017
by Daily end-of-shift report 24 Jul '17

24 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-07-2017 18:00 − Montag 24-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ New Version of DarkHotel Malware Spotted Going After Political Figures ∗∗∗ --------------------------------------------- The DarkHotel hacking group, a threat actor known to engage in advanced cyber-espionage tactics, has shifted operations from targeting CEOs and businessmen to political figures. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-version-of-darkhotel-mal… ∗∗∗ How was the #TurrisHack17 ? ∗∗∗ --------------------------------------------- Since the beginning of the Turris project, we have been very happy for the opportunity to cooperate closely with our community. Without it, the project would not have been where it is now. It was largely the interest of potential […] --------------------------------------------- http://en.blog.nic.cz/2017/07/22/how-was-the-turrishack17/ ∗∗∗ FIRST releases inaugural annual report ∗∗∗ --------------------------------------------- The Forum of Incident Response and Security Teams releases inaugural annual report, covering the scope of its activities from the 2016 conference in Seoul, through its 2017 annual event in Puerto Rico. --------------------------------------------- https://www.first.org/newsroom/releases/20170724 ∗∗∗ Hacking: Microsoft beschlagnahmt Fancy-Bear-Infrastruktur ∗∗∗ --------------------------------------------- Um gegen die Hackergruppe Fancy Bear vorzugehen, nutzt Microsoft das Markenrecht und beschlagnahmt Domains. Die kriminellen Aktivitäten der Gruppe würden "die Marke und den Ruf" des Unternehmens schädigen. Komplett stoppen lassen sich die Aktivitäten aber auch auf diesem Wege nicht. (Microsoft, Server) --------------------------------------------- https://www.golem.de/news/hacking-microsoft-beschlagnahmt-fancy-bear-infras… ∗∗∗ Uber drivers new threat: the "passenger", (Mon, Jul 24th) ∗∗∗ --------------------------------------------- This week I was told about a scam attack that surprised me due to the criminals creativity. A NYC Uber driver had his Uber account and days incomings stolen by someone who was supposed to be his next passenger. --------------------------------------------- https://isc.sans.edu/diary/rss/22626 ∗∗∗ DMARC: an imperfect solution that can make a big difference ∗∗∗ --------------------------------------------- US Senator Ron Wyden has asked the Department of Homeland Security to implement DMARC. Martijn Grooten looks at what difference this could make for phishing attacks impersonating the US federal governent. Read more --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/07/dmarc-imperfect-solution-can… ===================== = Advisories = ===================== ∗∗∗ HPESBHF03745 rev.3 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- Potential security vulnerabilities have been identified in HPE Intelligent Management Center (iMC) PLAT. The vulnerabilities could be exploited remotely to allow execution of code. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037… ∗∗∗ rt-sa-2017-009 ∗∗∗ --------------------------------------------- Remote Command Execution as root in REDDOXX Appliance --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2017-009.txt ∗∗∗ rt-sa-2017-007 ∗∗∗ --------------------------------------------- Undocumented Administrative Service Account in REDDOXX Appliance --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2017-007.txt ∗∗∗ VU#586501: Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/586501 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003790 ∗∗∗ IBM Security Bulletin: Vulnerability in Samba affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005381 ∗∗∗ Palo Alto PAN-OS Unspecified Bug in DNS Proxy Lets Remote Users Execute Arbitrary Code on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038976 ∗∗∗ Palo Alto PAN-OS Input Validation Flaw in GlobalProtect External Interface Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038975 ∗∗∗ Palo Alto PAN-OS Input Validation Flaw in Management Web Interface Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038974 ∗∗∗ Python and Jython vulnerability CVE-2013-1752 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53192206 ∗∗∗ Python and Jython vulnerability CVE-2014-7185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K78825687 ∗∗∗ SNMP vulnerability CVE-2007-5846 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33151296 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily